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1 Cl -100 DCS 3000 to EDMS SETUP MANUAL 

1.1 Purpose and Scope 

This document is designed to guide the System Administrator (SA) as well as the 
Information System Security Officer (ISSO) in the process of installing and configuring 
the hardware and software associated with properly setting up the CI-100 DCS 3000 to 
EDMS transfer. This document can, and should be used in conjunction with the 
contingency plan in the event the System Owner(s) find(s) is necessary to rebuild this 
portion of the system. 


2 System Installation, Configuration, and Operation 

2.1 Installation and Configuration 

The DCS3000 to EDMS system is partly comprised of two (2) Dell 2850 Servers which 
both run Microsoft Windows 2000 Server. These servers have been secured according to 
NIST Standards. In the event that these servers need to be rebuilt, the installation disk(s) 
can be obtained by contacting the ISSO. The security configuration of the two servers 
has been captured via INF file and can also be obtained by contacting the ISSO. 

2.1.1 Installation and Configuration Low Side 

The DCS3000 to EDMS system is partially comprised of a CI-100 unit which is 
controlled by in-house software. In the event this software needs to be reconfigured the 
following are the steps that are necessary in order to insure the system is operational and 
stable: 
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System Security Plan 


INTRODUCTION 

This system security plan (SSP) is for the type accreditation of the Controlled Interface-100 or 
CI-100. The CI-100 performs security domain adjudication of data transfer from an unclassified 
domain to a confidential/secret domaia This transfer is conducted via a modified networking 
medium, either a fiber optic cable or an RS-232 serial cable. This system is being accredited at 
the Tier-Two approval level with a high Confidentiality Goal, a high Integrity Goal, and a high 
Availability God. The CI-100 Security Concept of Operations (CONOPS) has been combined 
with this SSP. 
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1 INFORMATION SYSTEM GENERAL INFORMATION 


1.1 Security Administration 

This SSP supports the initial accreditation of the CI-100 system and due to the utility of the CI- 
100 configuration and its implementation at various operating locations, a type accreditation is 
warranted. This SSP is valid for three years or until a change to the architecture or configuration 
impacts the system security. In the event of a security incident involving the CI-100, the 
accreditation of the specific system should be reviewed. 

1.1.1 System Information 

This original SSP is for the type accreditation of the CI-100, a specially designed device used to 
transfer data fi-om an unclassified network to a confidential/secret network. The CI-100 will 
always be treated as a single unit and will be limited to performing a single function - the transfer 
of data between the unclassified and confidential/secret security domains. A CI-100 is not 
permitted to connect a Tier 4 system to any olber system. 

1.1.2 Key System Points of Contact 

The security administration for the CI-100 will vary by location. When a CI-100 is installed at a 
location, the local information systems security officer (IS SO) will identify and maintain a list of 
the following personnel: ISSO, information systems security manager (ISSM), system 
administrator(s), and the data owners of the connected systems. The following tables identify the 
points of contact for the CI-100: 


Program Manager/System Owner 


Name 

1 

Organization 

Information Assurance Section (IAS), Security Division (SECD) 

Telephone Number 

202-324J \ 

Location 

Room 7986, FBiHQ 


Designated Accrediting Authority (DAA) 


Name 

William L. Hooton 

Organization 

Office of the Chief Information Officer 

Telephone Number 

202-3241 


Location 

Room 1 17(f3, FI 

3IHQ 


Certification Official 


Name 

1 1 

Organization 

SECD 

Telephone Number 

202-324-1 1 

Location 

Room 7128, FBIHO 


Security Certification Official 


Name 

1 

Organization 

IAS. SECU 

Telephone Number 

202-3241 1 

Location 

Room 1B948, FBIHQ 
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DAA Representative 


Name 


Organization 

IAS, SECD 

Telephone Number 

202-324- 

Location 

Room, FBIHQ 


Information Systems Security Officer (ISSO) 


Name 1 1 1 

Organization 

OTD/ESTS/ETMU 

Telephone Number 

1 

Location 

ERF Quantico, VA 


[nformation Systems Securitv Manager (ISSM) 

Name 




Organization 


Telephone Number 


Location 

KKb' guantico, VA 


System Administrator #1 b 7 C 


Name | 

1 

Organization 

OTD/ESTS/ETW 

Telephone Number | 

: T 

Location 

ERF Quantico, VA 


System Administrator #2 


Name 

1 1 

Organization 

OTD/ESTS/ETMU 

Telephone Number 

1 1 

Location 

JiKF Quantico, VA 


System Administrator #3 


Name 


Organization 


Telephone Nmnber 


Location 



Data Owner of Uncla ssified System 


Name | 

\ 

Organization 

OTD/ESTS/TICTU 

Telephone Number 

1 1 

Location 

ERF Quantico, VA 


Data Owner of Secret System 


Name | 

1 

Organization 

OlD/ESiS/blMU 

Telephone Number 

] 1 

Location 
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1.1.3 Security Organization 

The information assurance architecture is currently under development by the Information 
Assurance Section, with ISSOs and ISSMs still being recruited. Once these personnel have been 
identified, the local IS SO will attach a list of security-pertinent personnel at their location and 
maintain the list with this packet. A basic organizational chart is found in Appendix A. 

1.1.4 Joint-Use Information 
Not applicable. 

1.2 Mission 

1.2.1 Purpose and Scope 

The Cl- 100 acts a a controlled interface security device connecting an unclassified system (Low 
side) with a confidential or secret system (i.e.. High side). The connection between the two 
security domains is accomplished by a "one-way transfer" (OWT) through the use of a modified 
RS-232 serial cable or fiber optic cable. The modified cable permits information to travel from 
the low side to the high side and eliminates the possibility of the high system fi-om passing data 
to the low. This is accomplished by converting the data packets fi-om TCP/IP to serial or UDP, 
both connectionless protocols. The data is pushed from the low side and across the OWT cable 
to the high system. Once on the classified system, the information is converted back to TCP/IP 
and sent out to the classified network. 

USE OF THIS SYSTEM IS RESTRICTED TO DATA TRANSFERS FROM AN 
UNCLASSIFIED SYSTEM TO A CONFIDENTIAUSECRET SYSTEM. UNDER NO 
CIRCUMSTANCES WILL AN UNCLASSIHED SYSTEM BE CONNECTED TO A TOP 
SECRET OR A SENSITIVE COMPARTMENTED INFORMATION (SCI) SYSTEM OR THE 
DATA TRANSFER BE REVERSED, SENDING DATA FROM THE CLASSIFIED SYSTEM 
TO AN UNCLASSIFIED SYSTEM. 

1.2.2 Supported Projects 

The Cl- 100 can support any approved project where data needs to be moved from an unclassified 
system to a confidential/secret system. 

1.2.3 Information System Usage 

The only authorized use of this system is to provide a one-way transfer of data from an 
unclassified system to a confidential/secret system. Under no circumstances will it be used 
otherwise. Also, it will never be used to transfer data fi-om a confidential/secret system to an 
unclassified system. 
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2 SECURE FACILITY DESCRIPTION 

2.1 Facility Layout 

As this is a type accreditation, a Cl- 100 can be deployed to a variety of different locations. 
However, there are some basic security requirements for the facility hosting tibe interface: 

• The facility must be FBI-controlled space. 

• The facility must be authorized for open storage of secret material on a hard disk drive. 

• Access to the CI-100 must be restricted to only essential personnel (i.e., system 
administrators and ISSOs). General users should not be able to physically or logically access 
the systenx 

• Any uncleared visitors must be escorted when in the vicinity of the system. 

The ISSO will provide a facility diagram and maintain it in Appendix B of this packet. 

2.2 System Layout 

The ISSO will provide a system layout diagram showing the physical location of the CI-100 and 
the systems to which it connects (if in the same location). This diagram will be maintained in 
Appendix C of this packet. 

2.3 Physical Environment 


The ISSO will annotate the approval date and authority for processing of classified information 
in this facility. If this approval does not state that open storage of secret information on the hard 
disk drive is permitted, then the approval date and authority for open storage will also be noted. 


Facility 

Name 

Location 

i^proval Date 

1 T^proval 

Authority 

Classification 

Level 

Open 

Storage? 

1 Comments 

ERF 

Quantico, 

VA 

2 November 
1998 

1 1 

Secret 

Yes 

EC Case 
Number ID# 
261D-HQ- 
C1062048-707 

FBI\SecD\Security 
Operations\ 
Physical Security 
Unit 









A one-meter (39 inches) separation will be maintained between the unclassified and classified 
computers of this system. This separation also applies to other systems in the vicinity of the CI- 
100 . 


If a keyboard-video-mouse (KVM) switch is used, only an authorized KVM switch is permitted. 
The Information Assurance Section (IAS) of the Security Division can provide a list of 
aulhorized KVM switches. 

All devices and media in the CI-100 will be properly marked with the appropriate classification 
labels. See subsection 7.7 for more information. 

In most cases, the two computers that make up the CI-100 will be located in close proximity to 
one another (given the one-meter separation requirement). If the two systems must be located in 
two different locations, the fiber that connects the two computers will be encrypted or contained 
in a protected distribution system (PDS) if it passes through an area not authorized for handling 
classified data. 
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2.4 TEMPEST 
Not applicable. 
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3 SYSTEM DESCRIPTION 


(S) 


3.1 Summary 

The Cl- 100 provides the technical ability to securely transfer digitized data from an unclassified 
system to a confidential or secret system. The movement of this data is technologically secure 
by using connectionless data protocols to push information across a modified networking 
medium. Each Cl- 100 is composed of two computers, one on the low (unclassified) side and one 
on the high (confidential/secret) side. Currently, this is accomplished by modifying a fiber optic 
or RS-232 cable so that it can only transmit data in one direction, from the low system to the 
high system. 

A Cl- 100 computer can use a variety of operating systems although, currently, only Windows 
2000 Professional or ^nnn The Windows operating system is 

hardeneda6G<«Fdmgt4- BANS (SysAdmin, Audit, Network, 

Security) Institute, Nauonai msLiiuCSTtsnSCISITCS^inrTSCTinology (NIST), and Common Criteria 
guidelines. All unnecessary services are turned off and unneeded ports blocked to limit the 
computer's ejqposure. 

Please see subsection 4.2 for a description of the customized hardware (i.e., NlCs, fiber optic and 
RS-232 cables). 


Due to its unique capabilities and simplicity, the Cl- 100 can be deployed in a variety of 
environments. The goals for integrity and availability can vary from basic to hi^. As this is a 
type accreditation, it takes the most restrictive approach and is assigned a high goal for both 
integrity and availability. The confidentiality goal is also high, as information residing on the 
classified side of the network must be protected from disclosure. 

Since all users (privileged users only) on friis system have the appropriate security clear^ce, the 
need-to-know for all of fixe information on the system, and formal access approval, the Cl- 100 is 
a Tier Two (2) approval level system since it connects to other networks. 


3.2 System Diagram 

The Cl- 100 acts as an interface between two different networks, one unclassified, and the other, 
confidential or secret. The interface is composed of two compirters, the low-side computer and 
the high-side computer. The low-side computer is unclassified and directly connects through a 
NIC (either fiber optic or RJ-45 based) to the unclassified network. The high-side computer is 
confidential or secret and directly connects through a NIC (either fiber optic or RJ-45 based) to 
the classified network. These two computers (the low and high-side computers) are connected 
using a modified fiber optic or serial cable that only permits data to be transmitted from the low 
to high computers. (If using a fiber optic cable, the NIC is also modified to enable this one-way 
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transfer.) Due to the cable's modifications, it is not possible for data to flow from the high-side 
system to the low-side. 



Figure 3-1 - Basic CI-100 Logical Diagram 

3.3 Personnel Security 

Any person authorized to access the system must have a minimum of a Secret cle^nce. These 
employees have an FBI Full Field Background Investigation (FFBI) or Department of 
Defense/Intelligence Community Single Scope Background Investigation (SSBI). The HQ or 
field office where the CI-100 is located will designate the system administrators authorized to 
maintain the system. The IS SO, system owner, and local security officer will verify that these 
administrators have the appropriate security clearance, formal access approval, and need-to- 
know for all of the information flowing through the interface prior to them being granted access 
to the system. 

3.4 Non-U.S. Citizens 

Non-US citizens are not authorized to use this system and are not allowed to maintain the CI- 
100. Foreign nationals may be authorized users on the two networks connected by the controlled 
interface but under no circumstances will they be allowed to physically or logically access the 
CI-100. The system administrator and ISSO will ensure that the device is protect^ from foreign 
users. This may entail the use of a tightly-controlled firewall or router-based access control lists 
(ACL) to prevent unauthorized access to the CI-100. 

3.5 Data Processed 

3.5.1 Classification and Compartments 

Both classified and unclassified information is processed on a CI-100. When the information is 
on the low (unclassified) system, it is unclassified (i.e., information from the Internet) or 
sensitive-but-unclassified (SBU - i.e., law enforcement data). The information usually retains 
this classification after it is transfered to the high (Confidential/Secret) system. However, this 
information may be reclassified as confidential or secret when it is associated with information 
already residing on the high-side network. 

3.5.2 Dissemination Controls 

Information handled by the CI-100 may have the following handling caveats: Limited Official 
Use (LOU), For Official Use Only (FOUO), or Law Enforcement Sensitive (LES). The 
information usually retains this classification after it is transferred to the high 
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(Confidential/Secret) system. However, this information may be reclassified as confidential or 
secret when it is associated with information already residing on the high-side network. 


3.6 

3.6.1 

3.6.2 

3.6.3 

3.7 

I One Two Three Four | 


Security Goals 
Confidentiality 


Basic 

Medium 

@High 

Integrity 

1 1 Basic 

1 1 Medium 

@High 

Availability 

1 [ Basic 

1 1 Medium 

@High 


Tier Level 


3.8 Non-U.S. Citizen Users 
Not applicable. 

3.9 Interconnection Interface Description 

3.9. 1 Direct Network Connections 


The purpose of the Cl- 100 is to provide a logical connection between two different security 
domains, permitting unclassified data to flow into the classified system but not allowing 
classified information to leak to the unclassified system. 


System Name 

Classifications/ 

Compartments 

Accreditation 

Date 

Designated Accreditation Authority 

EDMS 

SECRET 

18 August 
2004 

1 |SecD/AU 

DCS-3000 

SBU 

28 May 2003 

1 


3.9.2 Connectivity Management Procedures 

Due its unique configuration, modifications to the Cl- 100 architecture are strictly controlled. 

The system is visually inspected weekly to verify that it has not been modified in ways that could 
adversely afiect system security. 

Physical access to the Cl- 100 will be restricted to system administrators, the only persons 
autiiorized to make any changes to the system. Prior to any additional connections being made, 
Ihey will be reviewed by the system owner, program manager, and ISSM for possible system 
security impacte. 

3.9.3 Interconnection 

The system directly connected to the low-side of the controlled interface will conduct an anti- 
virus scan of all data prior to it entering the CI-100. This requirement is in addition to any other 
virus scanning conducted on the unclassified network. Once the data is on the high-side of the 
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CI-100, it is passed to the first node on the classified system. As it enters this network, the 
system directly connected to the high-side computer will scan all data arriving fi-om the CI-100 
before it is transmitted further into the classified network. This requirement is in addition to any 
other virus scanning conducted on the classified network. 

3.9.4 Connectivity Procedures 
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The CI-100 physical and logical configurations will not be changed without the approval of the 
DAA and program office. The ISO/ISSM must approve any repairs to the NIC and one-way 
cable. System administrators may conduct routine maintenance under their own authority. 


3.9.5 Controlled Interface Requirements 

The CI-100 will adjudicate the security policies between unclassified and confidential/secret 
security domains. The interface permits the electronic transfer of data fi-om the unclassified 
system to the classified portion while preventing the leakage of classified information to the low 
side. 

Since file Cl- 1 00 is a data transport mechanism, no data will be accessed on fiiis system with the 
exception of reviewing packets causing networking problems. The packets will only be accessed 
to assess and resolve the problem. Only system adininistrators are permitted to perform these 
activities. 
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3.9.6 Data Flow Diagram 

Data flows from an unclassified source, usually a network, through the controlled interface, and 
into a classified system. Due to the modified fiber optic/RS-232 cable, data cannot flow from the 
classified network to the unclassified network. 



Figure 3-2 - Basic CI-100 Information Flow Diagram 
3.9.7 Telecommunications Security 

In most cases, the two computers that make up the CI-100 will be located in close proximity to 
one another (given the one-meter separation requirement). If the two systems must be located in 
two different locations, the fiber that connects the two computers will be encrypted or contained 
in a protected distribution system (PDS) if it passes through an area not authorized to process 
classified data. 
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3.9.8 Networking 

A CI-100 is a very basic computer network, two computers connected by a fiber optic or serial 
cable that can only transmit data from an unclassified machine to a classified one. There is no 
return transmission from the classified to unclassified system. Both systems are also connected 
to another network. The outside networks are usually based on TCP/IP and can use nearly any 
type of NIC (fiber optic, RJ-45 (Ethernet), etc.) to deliver data to/receive data from the CI-100. 

3.9.9 Indirect Connections 

The only indirect connections (sneaker-net) on the CI-100 are to provide software patches for the 
operating system or new code that facilitates the conversion of data between TCP/IP and 
UDP/serial. During normal day-to-day operations, the floppy and CDROM disk (hives are 
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deactivated in the password-protected Basic Input/Output System (BIOS). The system 
administrator will activate the drives only when updated software or patches need to be applied. 


4 HARDWARE 
4.1 Hardware Listing 

As tiiis is a type accreditation, the specific information pertaining to the hardware being used will 
be different for each implementation. The IS SO will document the manufacturer, model, serial 
number, amount of RAM, hard disk size, and CPU speed. The ISSO will also identify the type 
of medium (i.e., fiber optic or RS-232) being used and name/source of the modified cable. 


Computers 


Manufacturer 

Model 

Serial 

CPU Speed 

RAM 

{Mn-\ 

Hard Disk 
Size 

Classification 







Jnclassified 







Secret/ 

1 II 1 III 

Confidential 


One-way Transfer Medium 


Cable Type 

Source fPOCf 

Unit 

Telephone Number 

Fiber 

— 

OTD/ESTS/nCTU 

1 1 
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4.2 Custom-Built Hardware 


There are several pieces of customized hardware in the CI-100, modified fiber optic NICs and 
either a modified fiber optic cable or a modified RS-232 cable. 
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Prior to the Cl- 100 being placed into operation between the two networks, it will be tested to 
verify that the low side can only transmit to the high side but cannot receive anything from that 
computer. The high side should be able to receive from the low side but not transmit to it See 
subsection 7.5.9 for the basic testing procedures. The Cl- 100 must pass these tests before it can 
be installed. 


4.3 Conjuration Management 

Configuration management (CM) is described in detail in subsection 7.5.3. 


5 SOFTWARE 


5.1 Software Listing 

Vety httle software will be installed on the Cl- 100 since the system performs critical security 
functions. To help limit the number of system vulnerabilities that non-essential programs may 
introduce, these unneeded programs are not found on the system. 


The only operating system authorized for use in the Cl-100 is Microsoft Windows 2000 
Professional with Service Pack 3a or Windows 2000 server with Service Pack 4. The operating 
system will be hardened prior to being placed into operation. These hard ening pro cedures are 
( S ) based on information security best practices and guidance documents fron ] | SJ1ST, the 
SANS Institute, and Common Criteria. The hardening procedures and/or scripts ^e found in 
Appendix D. 


Up-to-date antivirus software will be used on the Cl- 100 to prevent an infection passing from the 
low side to the high side. The program must be properly configured so that in the event 
malicious software is detected, it isolates the offending program in the computer and permits the 
continued flow of data through the Cl-100. For fiirther information, please see subsection 


7.10.3. 
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The following is a list of software found on the CI-100: 


• The TCP/IP - UDP/Serial conversion and reversion programs 

• Microsoft Windows 2000 Server with Service Pack 4 

• Adobe Reader 6.0. 1 

• WinZip 10.0 

• McAfee Virus Scan Enterprise Version 7.0.0.5 1 1 

5.2 Configuration Guides 

The operating system configuration guides are found in Appendix D. 

5.3 Allowed Services and Protocols 

a. Services internal to the CI-100: 


telnet 



Services outside the boundary of the LAN; 

SSL 

SSH 

telnet 

Network Protocols: 


UDP 

TCP/IP 

RS-232/Serial 

connectivity 

FTP 

ICMP 


5.4 Mail System 
Not applicable. 

5.5 Foreign Software 

There is no foreign software on the CI-100. However, due to the way the software industry is 
currently developing programs, non-U. S. citizens are likely to have worked on building the anti- 
virus software and the operating system. 

5.6 Software with Restricted Access or Limited Use Requirements 

The security of the entire CI-100 system is based on a severely restricted access list. As such, 
use of all software on the CI-100 is restricted to system aAninisIrators. 

5.7 Configuration Management 

Configuration management (CM) is described in detail in subsection 7.5.3. 
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6 DATA STORAGE 

6.1 Media Types 

Various types of data storage media are used on the Cl- 100, but hard drive storage is 
predominant. The hard drive contains the hardened operating system, the TCP/IP-to-UDP or 
RS-232 conversion program, and the anti-virus program. Data being transmitted over the 
controlled interface is not stored on either of the CI-100 machines. The last node on the 
unclassified network retains copy of the data until it is either manually or automatically deleted. 
When configuring this system, the system administrator must build in enough time to review the 
file transfer audit logs on the high-side system to identify any packets that did not arrive intact. 

If a packet was corrupted in transmission, the system administrator must manually resend the 
packet from the unclassified network and verify that the packet was received intact. 

Floppy disks and CD-ROMs are used on a sporadic basis and only to load updates to software 
already on the system. On a day-to-day basis, the floppy and CD drives will be deactivated in 
the password-protected BIOS. When software updates or new software need to be loaded onto 
the system, the system administrator will reactivate the floppy and/or CD drives in order to 
perform these tasks. Once the software is loaded, the drives will be deactivated. 

6.2 Media Handling 

All media are handled in accordance with its classification. If the facility is not authorized for 
open storage of hard-copy Secret material, but open storage is permitted for non-removable 
magnetic media, all Secret removable media (floppy, CDs, Zip disks, etc.) will be secured in a 
GS A-approved safe. If the facility that houses the CI-100 is not authorized for the open storage 
of any classified information, the CI-100 will be built with removable hard drives. These drives 
would be secured in a GSA-approved safe at the close of business. 

All removable media are marked with the appropriate SF 7xx classification and data descriptor 
labels. An unclassified disk will be marked with the green SF 710, Confidential with the blue SF 
708, and Secret with the red SF 707. All removable media will also have a white SF 71 1 Data 
Descriptor label affixed to its surface. Fixed hard disk drives do not need to have the labels on 
their cases as the labels attached to the CPU cases are sufficient Removable hard drives and 
hard drives removed from the CPU case will have classification and data descriptor labels. 

In most cases, removable media are classified in accordance with the classification of the system 
in which they are used. This means that a disk containing only unclassified information but used 
on a secret system is classified secret. However, there is an exception to this rule. If the system 
administrator or ISSO write-protects an unclassified floppy disk, the disk may be used in a 
classified system and retain its “Unclassified” markings. Write-protecting the disk ensures that 
classified information is not inadvertently written to the floppy. The case is similar for CD- 
ROMs. If the classified machine's CD-ROM drive is a read-only drive and not a CD-RW 
(Read/Write) drive, the unclassified CD-ROM can be used in a classified machine and still 
retains its “Unclassified” status. 

For clearing, purging, and destruction of media, please see paragraph 7.9.1. 

63 Backup and Restoration Process 

Very little data is maintained on a CI-100. Unless otherwise authorized by the DAA, the only 
programs authorized to be on the systems are the operating system and the data-conversion 
programs. No operational data (data to be transferred) is maintained on the CI-100. The system 
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administrators will keep a local floppy/CD-based version of the CI-100 configuration settings 
and the data conversion programs. This disk should not be stored in the vicinity of the CI-100. 
Additionally, the Information Assurance Section, Security Division, will maintain an e-mailable 
copy of the operating system settings and the data conversion programs that can be quickly sent 
to a site needing them. 

6.4 Backup Protection 

As stated in the previous paragraph, backup copies of the operating system configuration and the 
data conversion programs are maintained locally and at the FBIHQ. The operating system 
(Windows 2000 Server) is widely available, either commercially or from FBIHQ. The hardening 
procedures are unclassified with the associated public domain information built from several 
tousled sources. The conversion program is the only software that needs additional protection as 
it is govemment-olf-the-shelf (GOTS) software and is labeled Limited OfBcial Use/For Official 
Use Only. 

Generally, there are no special security requirements for the CI-100 hardware and firmware since 
they are readily available. With the exception of the modified NICs, fiber optic cables, and serial 
cables, the CI-100 computers can be pulled from excess equipment within the FBI. The 
hardware specifications for the CI-100 computing platforms are not extensive and do not require 
top-of-the-line computers. The system administrator will identify sources of spare computers, 
NICs, and cables to assist in expediting the computer replacement. 

6.5 Disaster Recovery 

A CI-100 Disaster Recovery pack will be maintained, preferably offsite, but readily available. It 
will consist of: 

• At least one copy (if not both copies) of the operating system CD-ROMs 

• The operating system configuration file 

• The TCP/IP to UDP or RS-232 conversion program 

• At least two modified fiber optic or serial cables 

• The system administrator manual 

• A copy of the CI-100 SSP 

Additionally, the system administrator will maintain a list of possible hardware sources to 
replace the CI-100 components in the event that the system must be rebuilt from scratch. 
Particular attention must be made to sources of the fiber optic NICs as they usually do not come 
as standard equipment on PCs. 

In the event a CI-100 must be reconstructed from scratch, the system administrator will adhere to 
the following procedures. 

• Identify a new location for the CI-100, paying particular attention to the ability to cormect the 
two networks, authorized to process classified information, power, air conditioning, physical 
security, enviromnental hazards, etc. 

• Set-up the new computers, mark them with the appropriate classifications, and load the base 
operating system as well as any authorized services packs and security patches. 

• Once the operating system is loaded, harden the system using the automated scripts on the 
CI-100 program CD-ROM or by manual configuration. 
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• Configure the network settings on the high and low-side computers. 

• Connect the OWT cable to file low-side computer matching the green end of the cable to the 
unclassified machine. Connect the blue/red end of the cable to the classified machine. 

• Conduct basic networking tests to verify that the OWT cable is actually one-way. (See 
subsection 7.6.9.) 

• If all of the basic networking tests fail, the Cl- 100 has been assembled properly. 

• Install the data conversion programs on the low and high-side computers. 

• The connections to the two outside networks may be established and the interface can resume 
transmitting data. 

In the event of a power loss, the system administrator must ensure that the high side of the CI- 
100 is brought online before the low side. This will prevent data from being lost when the low 
side, which blindly transmits the UDP data packets, broadcasts packets to the higji side that is 
incapable of receiving data as it is still off-line. 

In a similar situation, if the system administrator must take the system off-line, the low side of 
the CI-100 must be taken down before the high side, thus preventing the low side from 
broadcasting packets to a system that is no longer fimctioning. 

Each site will integrate its site-specific disaster recovery/continuity of operations plan into this 
SSP as well as into their parent division's plans. 
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7 SECURITY REQUIREMENTS 
7.1 Threats & Vulnerabilities 

Please see Appendix E, Risk Management Matrix. 
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Once inside FBI spaces, all personnel must display their security badge. The badge by itself or 
in conjunction with a PIN can grant employees access to various rooms. Access to rooms 
containing a Cl- 100 is controlled to only those personnel with the proper security clearance, an 
established need-to-know, and formal access approval for all information flowing across it. 

Currently, only user IDs and passwords are used for identification and authentication. There are 
two user groups on the CI-100, the system administrator and ISSO groups; no general users are 
allowed on the system. 

7.2.2 Account Procedures 


7.2 User Access and Operation 

7.2.1 Access Controls 

All system users have unique identifiers that permit the tracking of each individual's actions on 
the system. Passwords are the chosen method of authentication. Additionally, FBI spaces have 
several layers of physical security controlling physical access to Cl- 100s and other systems. 

I JTo 

gain access to FBI facilities, two forms of identification are required, one of which is usually a 
proximity-type badge verifying that the person has a completed security background 
investigation. 


During the hardening procedures for the system, all default accounts are renamed and any guest 
account is deactivated. The renamed default system administrator account is used to create the 
initial unique user ID system administrators accounts and grants system administrator privileges 
to these unique accounts. These accounts have full privileges to the system with the exception of 
full access to the system audit logs; the accounts only have read access to the logs. 

The renamed default system administrator account will create the ISSO group and accounts. 

This group will have full access to the system audit log files, but only general privileges on the 
remainder of the system. 

b2 
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to be established, an existing system administrator will create the account and grant system 
administrator privileges to it. 



The number of system administrator and ISSO accounts will be kept to an absolute minimum. 
Only employees with the proper security clearance, an established need-to-know, and formal 
access approval for all of the information flowing across it will be assigned an account. 

Accounts on this system are not modified. In the event an accoimt needs to be terminated, it is 
removed fi'om the system. However, a record will be maintained of that user ID and the person 
who used it. This information will be retained for a period of 90 days as the audit logs for the 
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system must be maintained for that period of time. This user ID record will associate the user 
ID, the actual name of the system administrator/ISSO, and past actions he/she has taken on the 
controlled interface. 

7.2.3 Authenticator(s) Procedxires 
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Automated password strength checkers and generators are not used. System administrators and 
ISSOs are briefed on how to construct a sh'ong password. 
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Often, only one system 

admmistrator is on d uty at a given timel 


7.2.4 System Users 

There are no general system users on the CI-100. 

7.2.5 Privileged Users 

All privileged users have unique user IDs and unique passwords. However, see subsection 7.2.3 
concerning use of the renamed default system administrator account 

7.2.6 Password Changes 
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7.2.7 Password Generation 
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Automated password strength checkers and generators are not used; system administrators and 
ISSOs are briefed on how to construct a strong password. 

7.2.8 Log-on Error Handling 

A user is locked out of his/her account after a maximum of four attempts, and a system 
administrator must unlock the account. 

7.2.9 Account Lockout Handling 
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7.3 User Groups and Access Rights 

7.3.1 User Groups 

The two user groups on the CI-100 are the system administrator and ISSO groups. In order to 
become a system administrator, one must have the proper security clearance, an established 
need-to-know and formal access approval for all of the information flowing across the interface. 
To become an ISSO, one must also have the proper security clearance, an established need-to- 
know, and formal access approval for all of the information flowing across the interface. 
Additionally, the ISSO needs to be technically proficient on the operating system on the CI-100 
and have security training or a security background. 

7.3.2 Non-data File Access 

System administrators can change the configuration and/or content of all files other than the 
system audit log files on the CI-100 since they have complete control of the system. However, 
(Mily the ISSOs are allowed to have full privileges to the system audit log files. 

7.3.3 System Access Rights 

The system administrator group can set privileges for all users on the system. System 
administrators have complete control of their systems with the exception of having full privileges 
to system(s) audit log files. 

7.3.4 Audit Logs 

Users (system administrators) can view the audit log but cannot change or delete it. The ISSO 
can view and delete the audit log. The ISSO is the only person authorized to transfer the audit 
logs fi’om on-line storage to off-line storage. 

7.3.5 Privileged Users 

There are three (3) privileged users on this system. There are two categories of privileged users - 
system administrators and the ISSO. The privileges granted to the ISSO are less than those of 
the system administrator with one exception - the ISSO has full control over the audit log. This 
is necessary, as the ISSO must transfer the audit logs firom on-line storage to off-line storage. 

The system administrators can only view the audit log file. For a list of auditable events, please 
see subsection 7.6. 
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7.3.6 Privileged Users Guides 
Please see paragraph 8.2. 

7.3.7 Technical Access Mechanisms 

Although the FBI policy states that the password-protected screen lock must activate after 20 
minutes of user inactivity, the screen lock on the CI-100 will activate after five (5) minutes of 
inactivity. It is highly recommended that if the system administrator steps away fi’om the CI-100 
terminal, he/she immediately activates the password-protected screen saver by pressing Alt-Clrl- 
Delete and selecting the Lock Workstation button. 

7.3.8 Discretionary Access Control 

System administrators have full control over all files on the CI-100 except for the audit log files. 
ISSOs have full control over audit logs, whereas system administrators can only view the logs. 

7.3.9 Need-to-Know Controls 

System administrators and ISSOs have established need-to-know for all of the information 
flowing through the CI-100. 

7.3.10 Mandatory Access Control 
Not applicable. 

7.3. 1 1 Discretionary Access Control Augmentation 
Not applicable. 

7.4 Security Support Structure Protection 

7.4.1 General 

The security support structure consists of three primary elements - the OWT medium, the 
systems logs (i.e., audit and data transfer logs), and tiie operating system configuratioa The 
OWT medium ensures that unclassified data can be transferred to the classified side, but 
classified information cannot leak down to the unclassified devices. The audit logs enable the 
ISSO to identify general system activity by type of activity and user ID (Please see specific 
information in subsection 7.6.). The data transfer logs permit the system administrator to view 
the number of packets sent, received, and any that were modified during transmission. Finally, 
the operating system configuration is hardened according to tested configurations. The 
configuration will not be changed without following the FBI Configuration Management process 
and being approved by the ISSM and DAA 

7.4.2 Trusted Communications 
Not applicable. 
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7.4.3 Validation Procedures 

The certification test plan/results (CTP/R) from the certification testing of the Microsoft 
Windows 2000 Professional/Server-based CI-100 are found in i^pendix F. 

On at least a daily basis, the system administrator will review the data transfer logs to identify 
any packets that were modified in transit. If a significant amount of traffic is transmitted on a 
daily basis, this review should occur every 2-4 hours. 

On a weekly basis, the ISSO will verify and document the following items: 

° Verify that the OWT medium (fiber optic or RS-232 cable) has not been replaced and 
continues to be plugged in to the proper computer (green end to low system, red/blue 
to the high system) 

° Verify that the warning labels on the OWT medium and the computer systems have 
not been removed 

° Verify that the network interface cards (NIC) have not be replaced and the send port 
on the high system and the receive port on the low system are still epoxied shut 

° Review the Cl- 1 00 audit logs for any anomalous activity 

Every six months, the system administrator and ISSO will attempt to ping the high system from 
the low system. This test should time out as the (Internet Control Messaging Protocol (ICMP) 
packets are sent to the high side, but no replies should be received, as the high system should not 
be able to send reply packets to the low system. They will try to ping the low side from the high 
side, but the attempt should fail, as packets cannot be sent from the high to the low side. 
Following the ping attempts, the system administrator and ISSO will attempt to establish a telnet 
session between the low and high systems. Both attempts should fail since there is no way to 
establish the handshake necessary for the session. These test results will be documented. 

All verification and validation result logs will be maintained with this SSP until the CI-100 is 
reaccredited. 

7.5 Security Features and Assurances 
7.5.1 Incident Reporting 

The following types of incidents should be reported through the ISSO to the ISSM: 

° Compromise of classified information as a result of an individual’s misuse of the CI- 
100, or failure to follow rules, procedures, guidelines, or regulations pertaining to 
system use 

“ System failures that result in the compromise of classified information 
° Hostile penetration attempts 

° Flaws or vulnerabilities that could result in the compromise of classified information 
° Unauthorized configuration changes to the operating system or h^-dware 
° Malicious code response 

° System contamination where data has leaked from the high side to the low side 

For any incident where classified information has or is suspected to have been compromised, the 
following procedures will apply; 
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° Cease activity and disconnect the CI-100 from both networks. If this is a high- 

availability system, another CI-100 will be built using the steps outline in subsection 
6.5, Disaster Recovery, and put into place. The ISSO and Security Officer will 
conduct a preliminary determination on the extent of the compromise or 
contamination. 

° Immediately contact ISSM and Enterprise Security Operations Center (ESOC) to 
report the incident. Further guidance will be provided as dictated by the 
circumstances. 

° Identify the originator or source of the incident and identify all receivers (e.g., 
systems, users) of the data. 

° Prior to bringing the affected system back on line, coordinate specific actions to be 
taken to with the ISSM. 

“ A written report of the incident is to be provided to D AA within three (3) business 
days of completing clean-up. 

The program manager will maintain a list of security incidents to identify patterns that may 
indicate potential CI-100 design problems. 

7.5.2 Remote Access 

Remote access to a CI-100 is not authorized. The DAA may grant exceptions for remote 
management of the system. If granted, all remote management activities will take place via an 
encrypted session. A copy of the exception will be maintained with this packet. 

7.5.3 Configuration Management Program 

The following paragraphs are based on the FBI Configuration Management Policy for IT 
Projects, Version 1.0 attached to an EC dated 10/01/2001 (Case ID # 66F-HQ-A13 15416). 

The CI-100 is composed of two tightly-configured PCs that are connected by a modified cable so 
data is securely transferred from an unclassified system to a classified system. The computers 
operating fyMefflg are ti;^y configured using Common Criteria NISt | | and S AN S 

guidance. Only the IAS can authorize changes to these settings or allow patcties to be installed 
on the computers. IAS will maintain and update configuration settings for the CI-100 and is the 
only authorized source for these configuration files. IAS will also provide guidance and act as a 
trusted source for any operating system patches. The ISSM/ISSO will serve as the conduit for 
changes to the controlled interface and provide assistance to the system administrator in 
receiving approval for possible field-recommended system changes. The system administrator 
will maintain a configuration log, armotating all changes to the CI-100. 

All systems shipped will have a primary and spare modified cable to permit quick replacement of 
a failed medium. Instructions for making a new modified cable are provided in subsection 4.2. 

In the event a NIC fails, subsection 4.2 provides guidance on how to replace and configure a 
fiber optic NIC in a CI-100. 

Prior to any changes to the system architecture or operating system configuration, the program 
office (i.e., IAS) will make the changes on a non-operational system in a test environment A 
full-scale system vulnerability test, similar to the ones conducted for this accreditation, wiU be 
performed on the test system and ensure that the proposed changes do not have a negative impact 
on system security. Only after the vulnerability testing is completed and risks are mitigated will 
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7.5.5 Unique Security Features 

The unique security feature in the Cl- 100 is the one-way transfer of data from an unclassified 
system to a confidential/secret system. For a detailed description, please see subsections 3.1 and 
4.2. 

7.5.6 Recovery Procedures 



In the event of component damage, please refer to subsections 4.2 and 6.5 on the procedures to 
take when replacing systems and configuring them properly. 

If the above steps are taken, the Cl- 100 will recover to a secure mode and ensure that 
information continues to flow across the one-way medium. 

7.5.7 After-Hours Processing 

Most Cl-lOOs will be operational 24/7 to facilitate the flow of information between the two 
security domains. 

7.5.8 System Start-Up 



7.5.9 Compliance-Monitoring Program 

On a periodic basis, the ISSO and system adminisfrator will verify various aspects of the Cl-100 
Security Support Structure and system configuration. 

On a weekly basis, the ISSO will verify and document the following items: 
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° Verify that the OWT medium (fiber optic or RS-232 cable) has not been replaced and 
continues to be plugged into the proper computer (green end to low system, red/blue 
to the high system). 

° Verify that the warning labels on the OWT medium and the computer systems have 
not been removed. 

° Verify that the Network Interface Cards have not be replaced and the send port on the 
High system and the receive port on the Low system are still epoxied shut. 

° Review the Cl- 1 00 audit logs for any anomalous activity. 

Every six months, the system administrator and IS SO will attempt to ping the high system from 
the low system. This test should time out as the ICMP packets are sent to the high side, but no 
replies should be received since the high system should not be able to send packets to the low 
system. They will try to ping the low side from frie high side, but the attempt should fail as 
packets cannot be sent from the high to the low side. Following the ping attempts, the system 
administrator and IS SO will attempt to establish a telnet session between the low and high 
systems. Both attempts should fail, as there is no way to establish the handshake necessary to 
establish the session. These results will be documented. 

All verification and validation result logs will be maintained with this SSP until the Cl- 100 is 
removed or reaccredited. 

7.5.10 Non-Repudiation 

Non-repudiation is applied to all privileged user activities on the system. User IDs are used to 
identify these activities and the information is entered into the audit log. 

7.5.11 Transaction Rollback 

Transaction rollback is not conducted on this system. The only activities that could be rolled 
back are operating system patches. In the event a patch needs to be installed or removed, 
configuration management procedures are applied. These activities are logged into the audit log 
or maintained in the hard-copy configuration management log. 

7.6 Auditing 

7.6. 1 Auditing Procedures 

There are two types of auditing on the Cl- 100, auditing at the operating system level and at the 
file transfer level (on the high-side machine). The low and high-side machines monitor activities 
at the operating-system level for the system administrator and ISSO user groups. Additionally, 
on the high-side machine, all arriving files are logged as to the file name, date arrived, file size, 
and the MD5 check sum attached to the incoming file and a second checksum generated on the 
high-side system to verify that the file arrived unaltered. 
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At log-on, the standard DOJ warning banner employed by the FBI appears, and the user must 
positively acknowledge agreement or access is denied. 

The text of the warning banner is as follows: 

W.4R.NINCi S 'fhls computer system is the pi-opes^' of the I'.lnltesi Stsites 'Depssi'tment of 
Jiastke. The Depaitmesit may monitor any activity on the system and search and retrieve 
any iiafoimation stored witliiia the systeniu By aecessmg and using tisis eompnter, you are 
consenting to such monitoring and Information retrieval for law enforcement and other 
purposes. Users shoidd have no expeei-atiou of privacy as to any commuiueation on or 
lnfoi.™atlon stored within the system, including Inlbiinatlon stored on the network and 
stored localy on the hard drive or other media in use with this unit, (e.g.. Soppy drives, CD- 
RO.MS, etc.)' 


7.6.3 User Accountability 

Each user is issued a unique user ID and is held responsible for his/her actions. Account 

management procedures are found in subsections 7.2 and 7.3. 

7.6.4 Audit Protection 

The audit trail is protected from unauthorized modification. All users can view the audit log; 

however, only the ISSO is allowed to modify/move the audit log. 

7.6.5 Audited Information 

The following information is found within the audit trail: 

» User ID 
“ Date of activity 
“ Time of activity 
“ Type of event or action 
“ Terminal ID from/on which action was taken 
“ Success/failure of the event 


7.6.6 Audited Activities 

The following items are audited (success and failure): 

° Log-on/off 

° Use of privileged user or root privileges 

° Attempts to change data 

° Deletion of files, directories, or data elements 

° Access to security-relevant directories, objects, and incidents 

° System console activities 

° Change of formal access permissions 

° Attempted access to objects or data whose labels are inconsistent with user privileges 
° Attempts to modify the audit trail file 
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Movement/deletion of the audit trail file 


7.6.7 Audit Review 

On a weekly basis, the ISSO will review the operating system audit trail. These files will be 
retained on-line for one month and off-line for five years. 

On a minimum of a daily basis, the system administrator will review the file transfer audit trail to 
identify any files that may have been corrupted or altered during transmission. It is unnecessary 
to maintain an on-line copy of more than the last 24 hours activity. This audit trail will be 
maintained on-line for 90 days. 

7.6.8 Discrepancy Handling 

In the event there is a discrepancy or indications of possible suspicious activity, the ISSO will 
conduct an initial inquiry into the matter. If deemed suspicious, the ISSO will notify the ISSM, 
system owner, and the appropriate security officer of file activity. Then, the FBI incident- 
handling procedures will be followed. If benigp, the discrepancies will be logged into a 
memorandum for the record and placed in the ISSO’s files. In the event of multiple occurrences 
of the same discrepancy, the ISSO and system administrator will identify the source of the 
discrepancy and resolve the problem 

7.6.9 System Verification and Testing 

On a daily basis, the system administrator will verify that the conversion and transfer 
mechanisms are functioning properly. This is done by reviewing the transfer log on the high- 
side system to identify any packets that have been corrupted during transmission. If an unusual 
number of packets have been corrupted, the system administrator will attempt to identify the 
problem. If unable to rectify the problem, the system adminisfiator will notify the ISSO, ISSM, 
and program manager of the difficulties. Once a solution is devised, it will be disseminated to 
the organization having the problem. 

On a periodic basis, the ISSO and system administrator will verify various aspects of the CI-100 
Security Support Structure and system configuration. 

On a weekly basis, the ISSO will verify and document the following items: 

° Verify that the OWT medium (i.e., fiber optic or RS-232 cable) has not been replaced 
and continues to be plugged into the proper computer (green end to low system, 
red/blue to the high system) 

“ Verify that the warning labels on the OWT medium and the computer systems have 
not been removed 

° Verify that the NICs have not been replaced and that the send port on the high system 
and the receive port on the Low system are still epoxied shut 

° Review the CI-100 audit logs for any anomalous activity. 

Every six months, the system administrator and ISSO will attempt to ping the high system fi-om 
the low system. This test should time out as the ICMP packets are sent to the high-side, but no 
replies should be received, as the high system should not be able to send packets to the low 
system. They will try to ping the low side fi-om the high-side, but the attempt should fail, as 
packets cannot be sent fi-om the high to the low side. Following the ping attempts, the system 
administrator and ISSO will attempt to establish a telnet session between the low and high 
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systems. These attempts should also fail, as there is no way to establish the handshake necessary 
to establish the session. All results will be documented. 

All verification and validation result logs will be maintained with this SSP until the Cl- 100 is 
removed or reaccredited. 


Intrusion detection systems (IDS) are not used on file CI-100. If use of an IDS is 
required/desired, it should be placed on the networks to which the controlled interface connects. 
The certification test plan/results are found in Appendix F. 

7.7 Marking and Labeling 

7.7.1 System Hardware 

All CI-100 computers are labeled in accordance with the classification of the information they 
process or the network to which the computers are connected. Low-side computers are labeled 
with green SF 710 stickers on the front of their CPUs. In many cases, rack-mounted computers 
are being used as the two computers that comprise file CI-100. In the event there is not room on 
the fi'ont of the chassis for a SF 710 label, green tape will be used to mark the entire front top 
edge of the device to signify its classification. A SF 710 will fold over the front top edge of the 
computer as much as possible. Additionally, the rear of the computer will be marked in a similar 
manner, either an SF 710 placed on the back of the device or the rear top lip will be edged by 
green tape. 

The fi-ont of the high-side CPU will be have a red SF 707 (Secret) or blue SF 708 (Confidential) 
label affixed to it As with the low-side rack-mounted computer, the fi-ont top and rear top lips of 
the high-side device will have colored tape (matching the color of the SF label) and an 
overlapping SF label affixed to them. 

The OWT medium (i.e., fiber optic or RS-232 cable) will also be marked with colored tape. The 
transmitting end will have the last two to fiiree inches of the cable covered by green tape. The 
receiving end of the cable will have the last two to three inches of the cable covered by red 
(Secret) or blue (Confidential) tape. This provides a quick means for the system administrator 
and IS SO by which to quickly verify that the correct ends of the cable are plugged into the 
proper computer. The green end of the cable is plugged into the green computer, the red/blue 
end of the cable is plugged into the red/blue computer. 

Above the modified NICs, both computers will also have a label stating, "DO NOT REPLACE 
ANY NIC WITHOUT THE PERMISSION OF THE ISSO." A similar label will be placed 
on the OWT medium stating, "DO NOT REPLACE THIS CABLE WITHOUT THE 
PERMISSION OF THE ISSO." 


7.7.2 Storage Media 
Please see subsection 6.2. 


7.7.3 Printout/Hardcopy 

Hardcopy printouts will not be made on this system. Printers will not be connected to the CI- 

100 . 
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7.7.4 Internal Labeling 

Initially, all information crossing the CI-100 is unclassified. Once it has been transmitted fi-om 
the hi^-side machine to the high-side connected network, it will be marked with its appropriate 
classification. 

7.7.5 Exceptions 

There are no exceptions to equipment marking of the CI-100. If an occasion arises where the 
machines cannot be labeled, the using agency must request an exception through the ISSO and 
ISSMto the DAA 

7.8 Maintenance Procedures 

7.8.1 General 

All maintenance activities will be conducted on-site by personnel with at least a secret clearance 
and a need-to-know for the information passing through the CI-100. Routine maintenance (i.e., 
reviewing file transfer logs, etc.) will be conducted on a daily basis. In the event a patch or 
service pack must be installed, the configuration management procedures (subsection 7.5.3) will 
be followed. In the event of an after-hours maintenance requirement, on-call personnel will 
perform the maintenance provided they meet the clearance and need-to-know requirements. 

Remote maintenance and diagnostic activities are not permitted. (Please see subsection 7.8.5.) 

7.8.2 Uncleared Personnel 

If an uncleared person is used to conduct maintenance on this system, atechnologically-adept 
person will escort the person while in any area where classified information is used, discussed, or 
processed. All maintenance activity performed by this person will be noted in the maintenance 
logs. The escort requirement also applies if the maintenance person has a secret clearance but 
does not have a need-to-know for the information passing through the controlled interface. 

7.8.3 Logs 

The standard operating system logs wiU be maintained, and the ISSO will review them on at 
least a weekly basis or daily if a recurring problem is being monitored. These logs will audit the 
items listed in the SSP auditing subsections (i.e., subsections 7.6.5 and 7.6.6). 

In the event a maintenance person is required to perform system administrator activities using 
another’ s user ID, a detailed log will be kept by the system administrator and ISSO noting the 
following items: 

o The date and time of maintenance 
o The user ID used to perform the maintenance 

o The name and organization of the person performing the maintenance 
o A description of the type of maintenance performed 
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7.8.4 Maintenance Software 


Basic operating system maintenance software is used on the Cl- 100. Only a system 
administrator can perform certain maintenance activities. The operating system restricts access 
to this software. 


7.8.5 Remote Diagnostics 

Although it is strongly discouraged, the DAA may grant exceptions for the use of remote 
diagnostic software on the system. If granted, the diagnostic software will not be stored on CI- 
100 systems and will be kept in a locked container. A copy of the exemption will be maintained 
with this packet. 

7.9 Sanitization and Destruction 

7.9.1 Hardware 

All sensitive and classified information is removed from all fixed media. The measures outlined 
in subsection 7.9.2 of this document are followed to sanitize the fixed media on the CI-100. 


7.9.2 Data Storage Media 

The destruction procedures for volatile memory are the same for any type of system. All power 
(direct and battery-provided) is removed from the memory chips. This causes all data stored on 
ftiem to be destroyed. The quickest way to clear volatile memory is to turn off the computer, 
unplug it, and physically remove the memory chips from file motherboard. 


b2 
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7.10 Software Security Procedures 

7.10.1 Procurement 

Software for the CI-100 will only be obtained through established FBI channels. Unless 
approved by the DAA, only software used in performing ftie OWT fimctions is permitted on the 
controlled interface. The program management office will test and approve new software for the 
interface prior to it being used on any of the devices. 

7.10.2 Evaluation 

Only approved software is permitted on the CI-100. The number of programs on the controlled 
interface is limited to only those programs that are needed to move data from the low security 
domain to the high security domain. If a system adminisfrator wishes to install any additional 
software on the system, a request is submitted through the ISSO/ISSM to the DAA. The IAS 
will evaluate any security manifestations caused by the use of new software. The IAS and DAA 
must approve any software prior to it being installed on the system. 

7.10.3 Malicious Code / Virus Protection 
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Up-to-date antivirus software will be used on the Cl- 100 to prevent an infection passing from the 
low side to the high side. The program must be properly configured so that in the event 
malicious software is detected, it isolates the offending packet(s) in the computer and permits the 
continued flow of data through the CI-100. 

Under certain circumstances, viruses may be intentionally brought into the high-side network. In 
this event, the data owner will submit a statement acknowledging this fact to the D AA, and that 
statement will be included in the SSP for the classified network. 

7.10.4 Data and Software Integrity Procedures 
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7.11 Media Movement 

7. 1 1 . 1 Media Introduction and Removal Procedures 

Due to its capabilities and limited functions, very few CI-100 associated removable media will 
need to be introduced into/taken out of the secure facility where the system is located. Only 
authorized removable media will be used in the CI-100 and will be procured through official FBI 
channels. 

Classified media will be removed from the secure facility with the approval of the ISSO. For a 
period of five years, the ISSO will maintain documentation and statements as required pertaining 
to the: 

° Justification for removal 
“ Approval/validation for removal 

° Fact that the content was scanned/copied in accordance with the approved procedure 
° Fact that the content of the data was reviewed by two technically qualified and 
authorized release individuals 
° Verification that the process was monitored 

7. 1 1 .2 Data Copying, Reviewing, and Releasing Procedures 

The purpose of the CI-100 is to transfer information from an unclassified system to a classified 
system. Information processed by this controlled interface is not copied, does not need to be 
reviewed, and is not released while it is under the control of the CI-100. 

7.12 Hardware Control 

7.12.1 Transfer 

To transfer a CI-100, the procedures for transferring classified information will be used. The 
CPU chassis will be double-wrapped in opaque material, the inner wrapping preferably being the 
computer carton. For specific instructions on transmitting/transferring classified information, see 
MIOG 26-7, Transmittal of Classified Information. 
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Prior to the transfer of the high-side computer, the hard (hive will have all operational data 
removed from it. The hard disk will be overwritten in accordance with the procedures in 
subsection 7.9 of this document. The system can be used to process information at or above the 
classification of the data that it previously processed. 

The ISSO will maintain a record for five years noting the: 

° Justification for transfer 
° Approval/validation for transfer 

° Component was inspected in accordance with the approved procedure and written 
confirmation statement was provided 
° Verification that the process was monitored 
° Identity(-ies) of the person(s) performing these activities. 

(S) 

7.12.2 Relocation 

If the Cl- 100 is relocated, it must be placed in an area approved for processing the highest 
classification of the information passing across it. Additionally, a one-meter (39 inches) 
separation must be maintained when the system is relocated in the proximity of a lower 
classification system. 

7.12.3 Release 

If the Cl- 100 is to connect an unclassified network to a confidential/secret network and will be 
located in a sensitive compartmented information facility (SCIF), the hardware release 
procedures outline in E)CI Directive 6/3 will be followed. 

To release the low-side computer, the hard drive will have all programs and data removed from 
it. The hard disk will be overwritten in accordance with the procedures in SSP subsection 7.9 
and then reformatted. The system can be used to process unclassified and above information. 

To release the high-side computer, the hard drive will have all programs and data removed from 
it. The hard disk will be overwritten in accordance with the procedures in SSP subsection 7.9 
and then reformatted. The system can be used to process information at or above the 
classification of the data that it previously processed. 

The ISSO will maintain a record for five years noting the; 

° Justification for release 
° Approval/validation for release 

° Component was inspected in accordance with the approved procedure and a written 
confirmation statement provided 
° Verification that the process was monitored 
° Identity (-ies) of the person(s) performing tiiese activities 

7.12.4 Maintenance 

Properly cleared and trained FBI employees or contractors will maintain the Cl- 100. If this is 
not possible, a cleared non-employee or an uncleared person may conduct maintenance on the 


The fact that all other non-volatile com ponents may be released after successful 
compleridh of the procedures outlined al. ICSSM 130-2. 
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system; however, a properly cleared, technologically-adept FBI employee or contractor will 
escort the person and supervise all work being done on the interface. 

7.12.5 Introduction 

If the CI-100 is to connect an unclassified network to a confidential/secret network and will be 
located in a SCIF, the hardware introduction procedures outlined in DCI Directive 6/3 will be 
followed. 

If the CI-100 is located in a secret (collateral) area, new equipment will be introduced into the 
secure area with the approval of the ISSO and communications manager. Any new system must 
have been procured from a trusted source and if sent overseas, must remain under U.S. control 
from the time it leaves the United States until it arrives at the overseas office. 

7.13 Web Protocol and Distributed/Collaboratjve Computing 
Not applicable. 

7.13.1 Web Server /Clients 
Not applicable. 

7.13.2 Mobile / Executable Code 
Not applicable. 

7.13.3 Collaborative Processes 
Not applicable. 

7.13.4 Distributed Processes 
Not applicable. 

7.14 Wireless Devices 
Not applicable. 

7.15 PKI Use 
Not applicable. 


8 SECURITY AWARENESS PROGRAM 

8.1 Program Description 

A security awareness program is currently being developed by Security Division and will be 
presented to all FBI employees and contractors. 

8.2 Users’ Guides 

A basic system administrator manual is found in various sections and subsections of this SSP. In 
addition to this manual, each system administrator should maintain a Windows 2000 
Professional/Server handbook. 
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9 INTERCONNECTION SECURITY AGREEMENT 

If there are any interconnection service agreements, the IS SO will post them in this section. 


10 MEMORANDA OF AGREEMENT 

If there are any memoranda of understanding or memoranda of agreement, the IS SO will post 
them in this section. 


11 AVAILABILITY 

11.1 Restoration Procedures 

Please refer to subsection 7.5.6 of this SSP. 

11.2 Communications Back-up 

A spare modified OWT cable (fiber optic or RS-232) will be maintained for each CI-100. In the 
event that the communications medium (the OWT cable) breaks, the spare can be quickly 
inserted. A spare fiber cable between the two fiber optic NICs on the low machine will also be 
maintained with the system. 

In the event a NIC becomes inoperable, a replacement is modified, epoxied, and placed into the 
computer. The cable is connected to the NIC, and the computer is restarted. 

11.3 Power Back-up 

If the data owner, ISSO, and DAA representative agree that the CI-100 is a medium or high- 
availability system, the CI-100 will be connected to an uninterruptible power supply (UPS). If 
deemed appropriate, a program similar to APC's PowerChute may be installed to perform a 
graceful shutdown of the system, with the low side shutting down first, followed by the high 
side. 

11.4 Denial of Service Prevention 

The CI-100 is configured to accept data fi-om a single computer on the unclassified network. 
Additionally, the CI-100 is not connected directly to the Internet and is located in FBI spaces. It 
is unlikely that it would be subject to an intentional denial-of-service attack. The ISSO and 
system administrators will monitor system and packet receipt logs to identify problems that may 
indicate the interface is being overloaded. 

11.5 Priori^ Process Protection 

In the CI-100, only a bare minimum number of processes are running. The reduced number of 
processes helps to prevent a lower priority process fi-om interfering with a higher priority 
process. 

Also, please see subsection 7.5.6. for the priority in recovery procedures. 
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12 EXCEPTIONS 


There are no exceptions to policy for the CI-100. If one is needed, the following procedures will 
he used in the exception request. 

Limitations in resources and technical capabilities may prevent the satisfaction of all security 
requirements without introducing unacceptable delay in achieving the operational requirements 
that the system was intended to satisfy. An exception indicates that the implementation of one or 
more security requirements is temporarily postponed and that satisfactory substitutes for the 
requirement(s) may be used for a specified period of time. This is in contrast to a waiver that 
implies a security requirement has been set aside and need not be implemented at all. The DAA 
may authorize exceptions under the following conditions: 

• Submission of a written request is submitted stating explicitly the requirements that are to be 
excepted and for what duration, including evidence of why the identified requirements 
cannot be implemented and indicating the countermeasures that are to be substituted 

• Submission of a description of the aspect of the threat or associated vulnerability (ies) fiiat is 
related to the proposed request and assurance that the consequent risk to the system will be 
acceptable based on other countermeasures that will be employed over the specified period 

• Submission of a plan for implementing the “excepted” security requirements later in the 
system’s life cycle. 

The procedures for requesting an exception to aspects of this SSP are: 

• The data owner writes the business case (justification) for the exception to the SSP and 
provides it to the ISSO. 

• The ISSO identifies possible risks introduced by this exception and provides existing or 
proposed risk mitigation measures. 

• The ISSO forwards the packet to the ISSM. 

• The ISSM, in conjunction with the Program Manager, evaluates the impact of the exception 
and proposed/existing countermeasures on the CI-100 and attached systems. The ISSM and 
Program Manager will make recommendations for additional safeguards or accepts the 
ISSO’s packet as is. 

• The packet is forwarded to the DAA for consideration. 

• If approved, the exception is processed under the configuration management program (Para. 
7.5.3). Any changes to the CI-100 configuration must be issued by the configuration 
management board. 
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13 GLOSSARY OF TERMS 


ABBREVIATIONS 

CC 

Common Criteria 

CM 

Configuration Management 

Cl 

Controlled Interface 

DoS 

Denial of Service 

ISA 

Interconnection Service Agreement 

KVM 

Keyboard, Video, Mouse 

MD 

Message Digest 

MD5 

Message Digest 5 

NIST 

National Institute of Science and Technology 



NIC 

Network Interface Card 

PDS 

Protected Distribution System 

ssh 

Secure Shell 

ssl 

Secure Sockets Layer 

SANS 

SysAdmin, Audit, Network, Security Institute 


DEFINITIONS 

Checksum - (Please put definitioiis in this section.) 

Configuration Management (CM) - 
Controlled Interface (Cl) - 
Denial of Service (DoS) 

Destruction 

Hash 

Interconnection Service Agreement (ISA) 
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Side Computer 




RET 
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Keyboard, Video, Mouse (KVM) 


Low Side Computer 


Message Digest (MD) - 
Message Digest 5 (MD5) - 

National Institute of Science and Technology (NIST) 

(5) I 

Need-to-Know 

Network Interface Card (NIC) 

Overwrite 

Protected Distribution System (PDS) 

RS-232- 


Type Accreditation 
RJ-45 

Sanitization 
Secure Shell (ssh) 

Secure Sockets Layer (ssl) 

SysAdmin, Audit, Network, Security Institute (SANS) 

System Security Support Structure 

Telnet 


Threat 

Vulnerability 
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Appendix C - System Equipment Location Floor Plan 
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Appendix D - System Handbooks 
Appendix £ - Risk Management Matrix 
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Appendix F - Certification Test Plan and Results 
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sedioi) 


|P.i>v 



2.2.2 

Environmental Protection 

PE-9,PE- 

10.PE-1LPE- 

12,PE-13,PE- 

14,PE-15 

P 

■HUH 

2.3 

System Layout 

PE-2 

P 


2.4 

Emanation Protection 





2.4.1 

Red/Black Separation 

PE 

P 



2.4.2 

TEMPEST 

PE 

P 



3 






3.1 





3.2 

Protection LeveEMode of Operation 

RA-2 



3.3 

Levels of Concern 



3.3.1 

Confidentiality 




3.3.2 

Integrity 

RA-2 

P 


3.3.3 

Availability 

RA-2 

P 


3.4 

Tier Designation 


P 



3.5 

System Diagram 


P 



3.6 

Interconnection Interface 
Description 





3.6.1 


CA-3 

P 



3.6.1. 1 

Cormectivity Management 
Procedures 

CM-3 

P 


3.6.1.2 


CA-3 

P 


3.6.1.3 


3SSSI^H 



3.6.1.4 

Networking 

2M-2 

p 


1 

3.6.2 

Indirect Connections 


lliiiililillillllll* 

3.6.2. 1 

Indirect Import 

SI-9,SI-10,SI- 

p 
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6.2.2 


MPMP-6,MP-7 

P 


6.3 

Storage Media Marking and 
Labeling 

MP-3 

P 


7 

Security Control Requirements 




7.7.1 

Risk Assessment 

RA-LRA- 

3,RA-4 

P 


7.1.2 

Compliance and Monitoring 
Program 

CA-7,CM- 

4,IR-5,PE- 

5,RA-4,RA-5 

P 


7.2.1 

Personnel Security 

PS-1,PS-2,PS- 

3,PS-4,PS- 

5,PS-6,PS-8 

P 


7.2. 1.1 

Non-US Citizens 


P 


7.2.2 

Contingency Planning 


lilsilliiiiiiiiiiiiiiiiilllHH 

7.2.2. 1 

System Backup 

CP-9 

P 


7.2.2.1.1 

Backup Protection 

CP-6 

P 


7.2.2.1.2 

On-site & OfF-site Storage 

CP-6 

P 


1 . 22.2 

Telecommunications Services 

CP-8 

P 


7.2.2.3 

Backup Power Supply Requirements 



7.2.2.4 

Recovery Procedures 

7.2.2.4.1 

Continuity of Operations Plan 


p 


7.2.2.4.2 

Disaster Recovery Plan 


p 


7.2.3 

Configuration Management Program 

CM-l.CM- 

2,CM-3,CM- 

4,CM-5 

p 


7.2.3. 1 

Hardware & Software Procurement 

CM-2,CM-3 

p 


7.2.3.2 

Evaluation 

CM-3,CM-4 

p 
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'Piii'.isriiph 

7.3.1.4.1.1 

Privileged User Group Roles 

AC-2,AC-5 

P 


7.3.1.4.1.2 

General User Group Roles 

AC-2.AC-5 

P 


7.3. 1.4.2 

System Access Rights 




7.3.1.4.2.1 

Local System Access Rights 

AC-3 

P 


7.3.1.4.2.2 

Remote System Access 

AC-17 



7.3.1. 4.2.3 

Non-Data File Access 

AC-3 



7.3.1.4.3 

Privileged Users Access Rights 

AC-3,AC- 

5,AC-6 



7.3. 1.5.1 

Log-On Error Handling 




7.3. 1.5.1 

Log-on Error Handling 




7.3. 1.5.2 

Account Lookout Handling 

AC-7 

p 


7.3.2 

Identification & Authentication 

[A-1 

p 


7.3.2. 1 

System Users 




7.3.2.1.1 

General Users 

IA-2 

p 


7.3.2. 1.2 

Privileged User 

A-2 

p 


7.3.2. 1.3 

Device/System User 




7.3.2.2 

Account Management Procedures 




7.3.2.2.1 

Account Request Procedures 

AC-2 

p 


7.3.2,2.2 

Account Maintenance Procedures 

AC-2,IA-4,IA- 

p 


T3.2.2.3 

Account Termination Procedures 

AC-2 

p 


7.3.2, 3 

Authenticator Procedures 

IA-5 

p 


7.3.2.3.1 

Password Generation 

IA5 

p 


13 . 13.2 

Password Changes 

A-5 

p 


7.3.2.4 

PKIUse 

K-7 

p 


7.3.2.5 

Trusted Multi-Level Communication 
Path 

SC-11 

p 



Accountability (Including Audit 
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7.3.4.2.1.1 

Internal to the LAN; 

iiiiililiiiii 

P 


7.3.4.2.1.2 


P 


7.3.4.2.2 

Controlled Interface Requirements 

— 

P 


7.3.4.2.2.I 

Controlled Interface to System #1 

P 


7.3.4.2.2.2 

Controlled Interface to System #2 

P 


7.3.4.3 



■ 


7.3.4.3.1 

Mobile/Executable Code I 

5C-18 






E3BHIi 



Distributed Processing 


QHBH 


7.3.4.3.4 

Wireless Devices 

\C-18,SC- 

J,SC-9 

p 


8.1 

(Security Awareness Program) 
Program Description 

\T-1,AT- 

2,AT-3,AT-4 

p 



PjfeL 1 Uf 10 




PG-14 



o o 

DCS SmO] System Security Plan (SSP) v3.0 dated 04/28/2M6 
Errata Sheet - |05/23/2e06] 



I V ' mm ^ 

Rules of Behavior 

Exceptions 

Glossary 





Attachments | 

A 

Organizational Structure 


1 p 


B 

Detailed System Diagram or System 
Security Architecture 




C 

Facility Layout and Overview or 
System Equipment Location Floor 
Plan 



Multiple fioor plan system deployed to 80 cites 

D 

Equipment List 




E 

Software List 




F 

Agreements (MOA, MOU, ISA) 




G 

Training Materials 




H 

System Requirements 




I 

Testing Plans and Results 




. 

J 

Risk Management Matrix (RMM) 




K 






L 

Accreditation Risk Management 
Report (RMP) 





M 

Accreditation EC 




N 

Accreditation Letter to DOJ 




iiiiiiiiiiiiii 

O 

Configuration Management Plan 
(CMP) 



P 

Privileged & General Users Guides 

rr J 


Q 

Contingency Plan (CP) 




R 
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INTRODUCTION 


On 2 May 2006 Accreditation Unit requested the Certification Unit to validate the 
eight (8) findings documented in the DCS-3000 Risk Management Matrix (RMM), 
dated 5 November 2002. The request for Certification validation is to ensure that 
eight findings have been properly mitigated by the system owner 
(Telecommunications Intercept and Collection Technology Unit (TICTU)). The 
results of the Certification validation is incorporated in the DCS-3000 Exective 
Summary Report in order to facilitate the decision by the accreditor to re-accredit the 
system for an additional three (3) years. 

The Enterprise Security Operations Center (ESOC) assisted Certification Unit by the 
security evaluation of the DCS-3000 in accordance with the C&A handbook section 
3.T.7.2 and Appendix C. The objective of the testing were to identify if proper 
actions were applied to mitigate the eight (8) vulnerabilities identified in the DCS- 
3000 RMM. 

This report documents the results of the May 26, 2006 testing performed by the 
ESOC on the DCS3000 located in the FBI Engineering Research Facility (ERF). 

USE OF OPERATIONAL DATA & CX)NNECTIV1TY REQUIREMENTS 


The DCS-3000 system is classified as Sensitive But Unclassified (SBU) and 
operational and deployed in central monitoring plants (CMP) located in FBI field 
offices and at the FBI Engineering Research Facility (ERF). ESOC performed 
testing on the ERF DCS-3000 only. Testing on the other DCS-3000 type systems at 
other Field Offices locate throughout the country was not part of this testing scope. 
Further testing by the ISSM/ISSO on other DCS3000 type systems at other Field 
Office facilities is still required to ensure they are the same configuration as the tested 
system at the ERF. 


SECURITY TESTING APPROACH 


Security testing is conducted within the scope of the objectives described above. All 
validation testing scenarios performed were manual inspection of the DCS-30'^g 
system located in the ERF facility. 


TEST SUMMARY 


I t ^SOC Vulnerability Assessment Test Team Member, was 

desi^iated and performed validation testing of the eight (8) vulnerabilities identified 
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in the DCS3000 RMM, dated November 5, 2002. The only system tested was the 
DCS3000 located in ERF, Quantico. 


FINDINGS^ 


Table 1 documents the results of the validation testing performed by ESOC on 26 May 
2006. Based on the ESOC findings, six (6) of the eight (8) findings have been verified as 
mitigated. One finding, “Improper workstation permissions,” was a false finding based 
on the DCS-3000 SSP, dated April 28, 2006, Section 7.3. 14. 1. This sections states, “The 
DCS-3000 utilizes a single user class with administrative rights for all ELSUR 
operations.” Based on that Accreditor approved SSP, least privileges on the workstation 
based on roles is not required. The only other vulnerability identified that has not been 
mitigated is finding # 8, Lack of Intrusion Detection Systems (IDS). ESOC has verified 
that this vulnerability is still active and has not been mitigated by the system owner. 


Table 1 - Validation Results 



Methods to be used to limit the risk: 

Install FBI approved anti-virus software on all servers and 
workstations. 

System administrators ensure all wus signatures are updated weekly 


iVetlfied 

4.5.1 installed with 
IVirus updated 05/05/2006 


|RR = 


iRecommend instituting an account lockout poDcy by implementing, at a 
I minimum: 

Account lockout duration 

Account lockout threshold (I.e. 3 attempts) 

Unlock procedures 

IRR = Low 


Verified 
Accounts lockout after three | 
attempts and must be reset 
by admin. 
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4. Inadequate audit 
logging. 

VL = Medium 

MEDIUM 

Recommend Implementing workstation and server auditing and log dumps 
on a dal ly basis to reduce impact on resources. 

RR= Low 

Verified 

Routers syslog and systems 
event viewer Is set to record 
all events. 

5. Improper 
workstation 
permissions. 

VL = High 

HIGH 

Recommend the implementation of workstation permissions to give least 
privilege access. 

RR= Low 

Failed 

Software required to run with 
admin privileges. SeeSSP. 

6. Improper 

guest/admirdstra 
tor account 
configuration. 

VL = High 

HIGH 

Recommend deleting the guest accounts and renaming the administrator 
accounts. 

RR = Low 

Verified 

Guest account is disabled 
and the Administrator account 
is renamed. 

7. Lack of Intrusion 
Detection 
Systems (IDS) 

VL = High 

HIGH 

Recommend implementing an intrusion detection scheme. 
RR = Low 

Failed 

No IDS Is Installed. 

8. Telnet login is 
not encrypted 

VL = High 

HIGH 

Recommend a secure Telnet implementation. 
RR = Low 

Verified 

Telnet Is not being used. 
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Title: IT SYSTEMS SECURITY RISK ANALYSES 

INFORMATION ASSURANCE SECTION (IAS) 
CERTIFICATION UNIT (CU) 

DIGITAL COLLECTION SYSTEM-3000 (DCS-3000) 
SECURITY TEST REPORT 


Synopsis: Certification Unit's validation findings conducted on the 

DCS-3000 Risk Management Matrix (RMM) , dated 26 May, 2006. 

Reference: (1) 319U-HQ-1487677-SECD-275 

Administrative: Additional References: 

(2) DCS-3000 System Security Plan (SSP) (U//FOUO), 
dated 28 April, 2006 

(3) DCS 3000 Risk Management Matrix (RMM) 

(U//FOUO), dated 5 November, 2002 

(4) DCS 3000 Certification Executive Summary 

Report (U//FOUO), dated 26 May, 2006 

Details: In order to facilitate the decision to re-accredit the DCS- 
3000 system, the Accreditation Unit (AU) requested that Certification 
Unit validate the eight (8) findings documented in Reference (3) as 
being properly mitigated or closed. 

In accordance with the FBI Certification and Accreditation 
Handbook, the DCS-3000 system has been assessed as a Tier Level 2 with 
levels of concern (LOC) of Medium for Confidentiality, Integrity, and 
Availability. The DCS-3000 system is a Sensitive But Unclassified 
(SBU) system operating in the System High Mode of Operation Reference 
( 1 ) . 

Enterprise Security Operations Center (ESOC) Testing 
personnel assisted Certification Unit by performing validation of the 
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To: Security From: Security 

Re: 319U-HQ-1487677-SECD 05/31/2006 


eight (8) findings identified in the RMM Reference (3). The results 
of the validation testing are in the Certification Executive Summary 
Report Reference (4). Validation results concluded that three (3) of 
the six (6) were corrected. One (1) vulnerability was found to be a 
false finding. The last finding, lack of the Intrusion Detection 
System (IDS), has not been corrected or mitigated. 

Certification testing on the DCS-3000 system was performed 
during an initial C&A effort four years ago. Due to the age of the 
previous Certification assessment, as well as proposed changes to the 
current architecture, the Certifier recommends that full Certification 
testing be performed on the DCS-3000 system. 
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To: Security From: Security 

Re: 319U-HQ-1487677-SECD 05/31/2006 

LEAD(s) : 

Set Lead 1: (Action) 

SECURITY 

AT WASHINGTON. DC 

Attn: Accreditation Unit. Coordinate the accreditation 

decision for the DCS-3000 System. 

Set Lead 2: (Info) 

SECURITY 
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System Security Plan (SSP) 

DCS 3000 

Pre-Certification Test Results and Findings 

1.0 PRE-CERTIFICATION TEST RESULTS 

(U) The test results reported herein were generated as part of a pre-certification test effort The purpose of this set of tests is to 
allow the system provider to make security-related modifications to the DCS 3000 system prior to the main certification testing effort. 
The format of this document is based on that used for i^tpendix F of the System Security Authorization Agreement (SSAA). 

>;^Si;fiMed on the certification review of the DCS 3000, several significant information assurance deficiencira were found. 

’fiieseftndin^ are based on document review, interviews of both system administrators and users, and actual testing. 

(U) Since time limits prevented thorough testing of the DCS 3000, a sufficient sampling was made to draw conclusions about 
practices, capabilities and deficiencies. Tests were performed in priority order taking account the sensitivity of information contained 
therein and file importance for immediate continuity of the system in a time of crisis. 

' -'.^J^The major deficiencies were in the areas of passwords and permission (access controls). 

(U) All of these deficiencies indicate a lack of proper infiastructure for the information assurance of the DCS 3000. Some of 
these are a direct result of the certification testing, and others are a result of interviews with both users and system administrators as 
well as review of existing documentatioa 


1.1 Testing Constraints 

(U) Security should ensure that procedures, policies, and practices are in place to ensure data confidentiality, integrity, and 
operational availability of the DCS 3000. 
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System Security Plan (SSP) 

DCS 3000 

Pre-Certlflcation Test Results and Findings 


(U) With the exceptions noted in the Section 3.0, all tests were performed in the test environment. In addition to the 
certification and accreditation team members present at the tests, test team participants included the CSSO, technical project manager 
and program sponsor. Test dates and participants are listed in Section 2.0 of this document 

1.2 Major Findings 

(U) Numerous findir^ have been identified for the DCS 3000. These fall into both the technical and the policy/procedural 
areas. The following sections summarize the major findings. 


*»*******CAUTIONARY REMARK********** 

(U) Suggestions for mitigating changes are included in several finding descriptions. The system owner/administrator must 
assume fhll responsibility for making such changes correctly. Before making any changes, the system components should be 
completely backed up. The suggested changes should be researched to determine if there are more current fixes available. 
Caution is advised as to the proper order in which the changes are made, as they are usually not independent of each other. 
Finally any changes should he made in compliance with current configuration management guidelines. 

***•*•*«****•*•**•***«****«•***«*****•«•*• 


(U) The following tables briefly summarizes the technical findings: 

1.2.1 Technical Findings 

following table briefly summarizes the technical findii^. These finding are serious and numerous. 
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Operating System Manual Testing 

1 

Id 

X 


SI-03 

Refer to page 23 of this 
document. 

1,2,2 : 

Procedural/Policy Findings 

b2 


(U) The following list identifies the policy and procedural findings: 
Not tested in pre-certification test.. 
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2.0 TEST SCHEDULE 

(U) Testing was scheduled to occur between August 22, 2002 and August 23, 2002. Data entry, analysis and final editing of 
this document occurred between August 27, 2002 and August 3 1, 2002. 


(U) The following table lists the test script groups and the dates that testing, results recording and analysis was completed for that 
group. 

(U) 


Test Script And .Kc.<wlt 1 He 

Testing twnpletcd 

HesuM<t 

Kcconk-d 

Analyses 

Completed 

DBA Windows 2000 SRR scripts 

8/22/02 

8/27/02 


BS Vulnerability Scan (System) 

8/23/02 

8/27/02 



8/23/02 

8/27/02 
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System Secnilty Plan (SSP) 

DCS 3000 

Pre-Certiflcation Test Results and Findings 

3.0 TECHNICAL TESTS AND TEST RESULTS 

(U) The following pages describe the actual tests performed. The tests are grouped as in the previous table. The order of the 
groups is essentially the sequence in which they were performed. 

(U) Each test case includes a Test Description, the relevant Requirements, the desired Test Preparation, a table of Test 
Procedures and Results, and Analysis of Results, and finally a Pass/Fail table. 

(U) Several test cases used automated vulnerability scanner test scripts. The results of these scans provide the detailed 
vulnerabilities, i.e., those specific items that must be fixed by modifying the system or determining the history of prior changes. 

These detailed results are tiie basis for several of the major findings reported herein. They are not included in this document, as they 
are directed towards system administrators whose job it will be to make the DCS 3000 adequately secure. However, they are 
available on request They include: 


1 ) (U) Security Readiness Review (SRR) scripts, Windows 2000 test results and findings 

2) (U) ISS System Scanner test results and findings 

3) (U) CISCO SYSTEM scanner test results and findings 

4) (U) Manual test scripts and findings 
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BANNERS AND LABELS TEST SCRIPTS AND RESULTS 


(U) Test Case BL-01: Test for Standard Security Warning Banner 

(U) Description: This test determines if the standard security warning baimer appears prior to login on both servers and workstations. 

(U) Preparation: The system administrator shall send a system alert message to all users to save work and logout to allow testing. 

All workstations attached to the system network must be powered-up. They should not be logged on 



Pruiedure 

EsiiecledOukomi; 

Date Tested 

Actual Oiiteoiiie 

1 

Press CTRL+ALT+DELETE keys to 
unlock the console (if locked) and to 
initiate the It^in process on the Primaty 
Domain Controller. Login using a valid 
user ID and password. Lc^out and lock 
console. 

For each of a sample of workstations 
using an NT-based operating system in 
several locations, power up and press 
CTRL+ALT-i-DELETE to initiate the 
login process. Login usir^ a valid user 
ID and password. Look for the warning 
banner. Shutdowrt 

Standard warning banner should ^ipear at 
a point prior to login. 

8/23/02 

As expected (The standard FBI banner 
does exist.) 
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Requircinmt 

PatlSi'I'iall 

Camnicnt 

(U) MIOG 3S-93.1(5)(b): The following banner shall be displayed on all 
FBI ADPT systems at a point prior to the user signing onto the system: : 
"This FBI system is for the sole use of authorized users for official business 
only. Y ou have no expectation of privacy in its use. To protect the system 
from unauthorized use and to insure that the system is functionii^ propra^ly, 
individuals using this computer system are subject to having all of their 
activities on this system monitored and recorded by system personnel. 
Anyone using this system expressly consents to such monitoring and is 
advised that if such monitoring reveals evidence of possible abuse or 
criminal activity, system personnel may provide the results of such 
1 monitoring to the appropriate officials.” 

Pass 
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(U) Test Case BL-02: Verifying Hardware has Proper Government Property Tags and Labeled with Proper Security Labels 
(U) Test Descriotioii: This physical inspection checks for the existence of appropriate secui% labels a£5xed to hardware, 
gjl Test Preparation : None. 


Eli 

Procedure 

Expected Outcome 


.Vetval Outcome 

1 

All System equipment shall be examined 
for the proper security label. 

Hardware processing, transmittii^ at 
storing date should have be labeled at 
the hipest setairity level of the date 
handled. 

8/23/02 

As expected. 

2 

Review procedures for handling hard 
disk drives from ^tem hardware, eidier 
for destruction or transfer. 

Must be handled only by FBI personnel 
and not leave controlled fiacility, as per 
requirements. System maintoiance staff 
must be aware of and follow such 
procedures. 

8/23/02 

As expected. 


gjl Pass/Fail: 


; . . . Reumetment . . . , 

PA«a^il 

Cdmmcnt 

(U) MIOG 3S-9.4.10(lKa): All systems with non-removable ADPT storage 
devices must conspicuously display classification and date descriptor labels 
on the unit that contains the magnetic ADPT storage device. The monitor 
may also be labeled 

Pass 
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(U) MIOG 35-9.4.13(1): ADPT equipment and storage media that has 
processed FBI information may only be reused (e.g., transferred to another 
unit) within FBI control systems (i.e., formal access prx^jams, SCIF, and 
TEF^EST) after they have been cleared by FBI employees. The 
microcomputer or ADPT storage media remains labeled and secured to the 
highest level of information ever entered into, stored on, or processed by the 
device. 

Pass 


(U) DOJ 2640.2D 26.b. TT systems shall contain an external classification 
trrarldt^ authorizing the level of information that can be processed. 

Pass 
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(U) Test Case BL-03: Verify Removable Media has Proper Secniify Labeling. 

Verify the existence of proper procedures for Disposal of hard Copy/Magnetic Media. 
Verify Backup Media Protection. 


(U) Test Descriotioa: Confirm that removable media has the proper SF-707 ciassificalion and data descriptor labels. Examine diskettes, CDs, 
back-up tapes. Confirm that there are procedures in place to address the disposal of fixed and removable magnetic media, hard copy and printer 
ribbons. Confirm that backup media and installation are proper^ labeled as to date, and properly protected. Examine storage area. 

fUt Test Preparation : None. 


Procedure: 


I'step..: 



ExpfiBle4 Oufciiuu 

Dale Tested 


■' 

The SA shall confirm that removable 
media has the proper SF-707 
classification labels attached to 
removable media throu^ spot checks. 



Not ^licable. 

2 

Check for documented procedures for 
disposal of hard Copy/Magnetic Media. 



Not applicable. 

3 

The SA shall show room location and 
storage location of backup media. 


8/23/02 

As expected. 


(U) Pass/Fail : 
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Piulttflilail 

Gomiitcnt 

(U) MIOG 35-9.4.10(lKb): Removable media must be labeled with 
external maridngs. An exception to this policy is granted for computer 
center operations supporting a computerized tape management system that 
provides internal classification and data descriptor designations, as long as 
the media remains in FBI controlled space. However, all magnetic media 
leaving FBI controlled spaces must be labeled with the external 
classification and data descriptor labels. 


N/A 

(U) MIOG 35-9.4.14(lXc): When inoperable diskettes tape cartridges 
printouts ribbons and similar items used to process sensitive or classified 
information must be destroyed in accordance with MIOG Part II Section 26. 


N/A 

(U) MIOG 35-9.4.14(lKd): When inoperable hard disks used to process 
sensitive or classified information must be sent to FBIHQ for proper 
disposal following procedures provided in MIOG Part II Section 26. 

Pass 
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(U) Test Case BL-04: Data Record Marking 


(U) Etescriptioii: This test contams several tests to determine if the means exist to effect a page or record labeling mechanism for security 
markings. 

(U) Preparation: None 


(U) Era 

cedure: 

& 

Proecdbrc 

fciCIICittedOufediM 

TMto Tested 

Actonl Outcume 

1 

Review data dictionaries for the Oracle 
database application tables to determine 
if required security marking fields are 
included. 

Fields are included on the data 
dictionarira. 

■ 

N/A 

1 

Review a sample of records from the 
Oracle database application to determine 
whether the security marking fields are 
populated appropriately. 

Sample shows that fields ate populated 
appropriately. 


N/A 
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SYSTEM INTEGRITY TEST SCRIPTS AND RESULTS 


(U) Test Case SI-01 : Test for Anti-Virus Protection 
(U) Description : 

This test determines if then necessary preparations have been made to protect the system from viruses. This includes having current virus 
signature data. 


(U) Prq)araiion : 

The system adminislrator shall be able to verity existing anti-virus mechanisms. 


iiF-o ' ■ 

£xpi!dii!d OuLconifl 




The S A shall log onto each 
workstation among the sample 
allocated for this purpose, as 
adnrinistrator, and open the anti- 
virus protection program. 

Observe what resources are 
scanned, and the frequency at 
which automatic scans are 
performed, and at what level of 
detail, e.g., executables, files, boot 
sector. 

All floppy disk volumes must be 
scanned when mounted. The boot 
sector, and key system files should 
be scanned on startup. Detailed 
scanning of all files should occur 
at least weekly at a designated 
time that has the least impact on 
w«rk productivity. 

8/23/02 

Fail 

No anti-virus software was found. 

2 

The S A shall determine on each 
selected workstation, the date of 
the virus signature data lile(s) in 
place. 

They should not be more than one 
week older than the latest 
available from the vendor. 

i 

8/23/02 

Fail 

Presently, there are no virus 
checking programs in place 
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Slop ! Procedure 

Expeded OuteottM! 

Dale Tested 

Vrtual Outcome 

3 

Verify procedures used upon 
detection of virus or other 
malicious software. 

Procedures must be written and 
well-urjderstood by all system 
users. 

8/23/02 

Fail. 

Presently, there are no virus 
checking programs in place 



PavVEaH 



(U) MIOG 35-9.4.4(4): Whenever a virus infection is detected, 
it should be reported to the ADPT Security Oflficer. 

Fail 

Presently, there are no virus checking programs 
in place 

(U) MIOG 35-9.4.5(4): Vendor diagnostic software must be 
scanned, write-protected, and retained by the Computer 
Specialist Only this copy of the software may be used on FBI 
ADPT systems. 

Fail 

Presently, there are no virus checking programs 
in place 

(U) DOJ 2640.2D 10. Components shall establish procedures 
to ensure that computer software installed on component IT 
systems is in compliance with applicable copyright laws and is 
incorporated into the system's life cycle management process. 

Fail 

Presently, there are no virus checking programs 
in place 

(U) DCID 6/3 MalCode: Procedures to prevent the 
introduction of malicious code into the system, including the 
timely updating of those mechanisms intended to prevent the 
introduction of malicious code (e.g., updating anti-viral 
1 software). 

Fail 

Presently, there are no virus checking programs 
in place 
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(U) Test Case SI-02: Verifying System Data and Program Backup and Restore 


Test Description: 

This test determines the extent to which system backup and restore are operational. 


Test Preparation : 
None. 


IK!:1 


... 

Expected Outcome 

Date I’cstHl 

.\rtual Outcome 

1 

Review back-up job streams used 
to perform to determine if all 
software and data is included in 
the backups. 

All data and software should be 
backed up. 

8/23/02 

According to| | 

backups are handled centrally by ^ 
FBI on FBINET.. 

b7C 

2 

Determine where backup media 
are stored. 

Media should be stored in a 
secured location. Periodically, 
complete backup media must be 
stored at an off-site location. 

8/23/02 

According tc| | 

backups are handled centrally by 
FBI on FBINET. 

3 

Determine if it is possible to 
restore to a computer with lower 
security protectioa 

No computer with drives capable 
of reading the backup media 
should be co-located with the 
system that is cleared to a lower 
security level. 

8/23/02 

As expected. 
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IT) Pass/Fail: 



Reqiili«nient 


___ ^ ''C 

(U) MIOG 3S-8. 1.2(3): System security plan documentation is 
required for eveiy classified and sensitive FBI AOPT system. The 
components of a system security plan are: 

a) ^stem security plan following OMB 90-08 or its successor 

b) documented risk management actions pertaining to the ADPT 
system 

c) certification statement that reflects the results of certification tests 
of die security features applicable to the system 

d) contingency plan which consists of an emeigency response plan, 
backup operations plan, and post-disaster recoveiy plan 

e) standard security procedures for users and operators of the system. 

Pass 


DCID 6/3 Doc 1: Documentation shall include: 

A System Security Plan. 

A Security Concept of Operations (CONOPS) (the Security 
CONOPS may be included in the System Security Plan). The 
CONOPS shall at a minimum include a description of the purpose of 
the system, a description of tiie system architecture, the system’s 
accreditation schedule, the tystem’s Protection Level, integrity level- 
of-Concem, availability Level-of-Concem, and a description of the 
factors that determine the system’s Protection Level, integrity Level- 
of-Concem, and availability Level-of-Concem. 

Pass 


DCID 6/3 Doc2: Documentation shall include guide(s) or manual(s) fcx the 
tystem’s privileged users. The manual(s) shall at a minimum provide 
information on (1) configuring, installing, and operatir^ the system; (2) 
makii^ optimum use of the system’s security features; and (3) identitying 
known security vulnerabilities regarding the configuration and use of 
administrative functions. The documentation shall be updated as new 
vulnerabilities are identified. 

Pass 
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Re<|ttirenient 


I, ^ ; ; ; ~ 

DCID 6/3 Doc3; The DAA direct that documentation also shall 

include: 

Certification test plans and procedures detailing the implementation of 
die features and assurances for the required Protection LeveL 

Reports of test results. 

A general user’s guide diat describes the protection mechanisms 
provided and that supplies guidelines on how the mechanisms are to 
be used and how th^ interact 

Pass 


DCID 6/3 VeriQ: Verification by the DAA Rep that the necessary 
security procedures and mechanisms are in place; testing of them by 
the DAA Rep to ensure that they work appropriately. 

N/A 
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Rr(|nireineitt 

Pass/Fufl 

f'nimnent 

(U)DOJ2640.2D9.1. [Components shall:] Develop a contingency 
plan for each general support ^tem and major application. 
Contingency plans shall: 

(1) Identify the priorities of the system for restoration, taking into 
consideration the system's role in fulfilling Department mission 
and interdependency requirements. 

(2) Determine the maximum amount of elapsed time permissible 
between an adverse event and putting the system's contingency 
plan into operation. 

(3) Determine the maximum amount of data and system settings that 
can be lost between die service inteiruption event and the last 
back-up (this measure shall determine system back-up policies). 

(4) Identify interdependencies with other systems (i.e., other 
component. Federal, State or local agencies) that could affect 
contingency operations. 

(3) Identify system owners, roles, and responsibilities. 

Pass 


(U) DOJ 2640.2D 9.2. [Components shall:] Develop and maintain 
site plans that detail responses to emergencies for IT facilities. 

Pass 


(U) DOJ 2640.2D 9.3. [Components shad:] Teat 

contingency/business resumption plans aimually or as soon as 
possible after a significant chaise to the environment, that would 
alter the in-place assessed risk. 

Pass 


(U) MIOG 35-9.4.4(3): Executable software authorized to run on an 
FBI ADPT system shall be identified in the system securify plan. 
The levd of protection must be commensurate with die sensitivity 
of the information processed. At a minimum, such media should 
be backed up and stored physically separated from the system or 
at an off-site locatioa 

Pass 
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(U) Test Case SI-03: Verifying System Integrity Safeguards 


(XJ) Test Description : 

This test deternimes the extent to which system integrity safeguards are in place. 

fUt Test Preparation : 

None. 


(U) Procedure : 


ESI 

R-otcdure 


Date Tested 

Vctual Outcome 


Verify that access to update source 
code is limited to specified 
programmers. Application user 
should attempt to update application 
source code. 

Access to update the source code 
should be limited to two persons. 

8/23/02 

As expected 


rU I Pas vI ail_ 


1 Kcquirement 


Comment 

MIOG 35-9.4.4(3): requires that safeguards must be in place to detect 
and minimizB inadvertent or malicious modification or destruction of 
an ADPT system's application software, operating system software, 
and critical data files. The safeguards should achieve the integrify 
objectives and should be documented in the system security plan. 

Pass 


DOJ 2640.2D 8. Component IT systems shall be examined for 
security prior to being placed into operation. AH IT systems shall 
have safeguards in place to detect and minimize inadvertent or 
malicious modifications or destruction of the TT system. 

Pass 
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ficqulremcnt 


Comment 

DCID 6/3 Integrtyl: Data and software storage integrity protection, 
including die use of strong integrity mechanisins (e.g., int^ty locks, 
encryption). 

Pass 


DC ID 6/3 Integrty3: Integrity, including the irnplementation of 
specific non-repudiation capabilities (e.g., digital signatures), if 

N/A 
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(U) Test Case SI-04: Verifying System Software Licenses 


(Ul Test Description: 

This test determines die extent to which commercial software used on die system is licensed. 
fUl Test Preparation : 

The system administrator or program manager shad produce documented evidraice of lic«ices for commercial software used on system. 


tun Procedure : 


1 Step Friiccdure 

Expected Outcome [ IMc i'estsd | .VcUuJ Outcome j| 

1 Verify all installed software is 

1 properly licensed. 

All licenses are current and available | 8-23-02 | As expected. |j 


(TJl Pass/Fail: 

Requirement 


('mmnent 

(U) MIOG 35-9.4.4(5): Use of software shall comply with copyri^ laws. 

Pass 


(U) MIOG 35-9.4.5(4): Vendor diagnostic software must he scanned, write- 
protected, and retained by the Computer Specialist. Only this copy of the software 
may be used on FBI ADPT systems. 

Pass 


(U) DOJ 2640.2D 10. Components shall establish procedures to ensure that 
computer software installed on component IT systems is in compliance with 
s^Iicable copyright laws and is incorporated into die system's life cycle 
management process. 

Pass 



August 27, 2002 


LIMITED OFFICIAL USE ONLY 







LIMITED OFFICIAL USE ONLY 


System Securi^ Plan (SSP) 

DCS 3000 

Pre-Certiflcatlon Test Resnlts and Findings 

NETWORK CONNECTIVITY TEST SCRIPTS AND RESULTS 

(U) Test Case NC-01: Intranet Connecttvity 
(U) Test Description: 

This test determines if any Internet or intranet sites outside the system can be accessed fix»n the system workstations. The first 
steps test if the system and other intranet computers can be reached via simple TCP/IP commands. This test is performed using 
all workstation operating systems. 

nr> Test Preparation : 

Test user accounts shall have been created. The systems administrator shall provide the IP addresses of the Primary Domain 
Controller. T est team will need IP addresses outside the network to ping. 


(U)^ 

cedure: 




SU-p 

Procediirf 


Date TeslcHl 

•\rtual Outcome 

1 

The SA shall, on several workstations 
for each woikstation operatiiig 
system, attempt to use the TCP/IP 
Ping command to determine if the 
System PDCs win respond. On 
\Mndows workstations, the MS-DOS 
window or tfte Run Command may 
be used. 

The PDC of the operational portion 
of the System should respond mtfi 
several lines giving timing 
information. The ping command to 
the PDC on the test portion of the 
System should time out 

8/23/02 

N/A The intranet was not used. 

2 

The SA shall, on at least one 
workstation for each workstation 
operating system, attempt to use the 
ping TCP/IP command to determine 
if computers having selected sites 
assumed to be outside the network 
respond. 

No non-System site should respond, 
and the ping cottunands should time 
out. 

8/23/02 

N/A. 
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Prutedure 

Evpected Outcome 

Dale rested 

kUual Outcome 

3 

Using the workstation Web Browser, 
attempt to open the home pages for 
the browser vendor (these should be 
available in the setup options for the 
browser.) 

Attempts should fiiiL 

8/23/02 

N/A. 

4 

All System peraonnel shall be asked 
to log onto die System using their 
own account Usernames and 
passwords. Inspect directories that 
contain cookies, and addresses of 
sites visited, for outside locations. 

No non-System site locations should 
be referenced. 

8/23/02 

N/A. 
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flD Pass/Fail: 

Requirement 

Ptns/Paa 


Comment | 

MIOG 35-6(4) Connectivity is prohibited between internal FBI 
ADPT systems and all other systems or networks not covered under 
the FBFs management authority without approval of the FBI 
accrediting authority. 

N/A 


MIOG 35-9.3. 1(6) Interconnections between sensitive and 
classified FBI ADPT systems and non-FBI ADPT systems must be 
established through controlled interfaces. The ADPT Security Officer 
must be consulted for guidance on establishing controlled interface. 
The controlled interfaces used in an ADPT system implemented as a 
network shall be accredited at the highest classification level and most 
restrictive classification cat^ory of information on the network. 

N/A 
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(U) Test Case NC-03: Verifying Physical Connections 


gjl Test Description: 

This test looks for undocumented maintenance ports, modems. No connectivity outside the network is expected. 
tUl Test Preparation : 

Electronic technicians to provide access to wiring closets, as required, to provide available wiring diagrams, and equqnnent for continuity 
testing and line-loss measurement. IMring diagrams and installation line loss values shall be made avdlable. 


Styp 

Procedure 

Eti.pi!cteil pulcnm« ' 

Dat« Tested 

ActUHl Outqame 

1 

The SA/ET staff shall physically 
verify each wire coimection 
begimiing with the servers continuir^ 
through switches, hubs to each 
termination point, verifying cable 
mnnbers and ports. 

There should be accountability for 
each cormection as described on the 
network diagrartt 

8/23//02 

As expected. 

2 

Line continuity tests shall be made to 
verify correct cable cotmections and 
labeling. Line loss measurements 
shall be made to determine if a 
possible splice or break exists. 
Comparisons with documented line 
loss shall be made when installation 
values are available. 

Cables should be cormected and 
labeled according to documentatiotL 
Line loss shall not huficate ^lice or 
break in line continuity. 

8/23/02 

As expected. 
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<TJ> Pass/Fail: 


Requirement 

IWPaU 

Comment 

(U) MIOG 35-9.4.7: The ISAs and POCs must be able to identify all 

Pass 


whether operating as part of a network or in a standalone mode of 
operation. This requirement is in addition to the hardware and 
software inventory requirements stated in MIOG Part II Section 
16-18.9. 


NETWORK VULNERABILITY SCANNER TEST SCRIPTS AND RESULTS 

(U) Test Case NS-01: Identify network vulnerabilities using Cisco Secnrity Scanner (CSI^ 
rUl Features of the CSS scanner: 
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The Cisco Security Scanner is a network-based security assessment tool. It provides extensive port and service scanning and network 
vuhetabilily anal^mis. It can perform scheduled and selective probes of network devices includii^ routers and switches, networked hosts, 
operating systems and key applications. During a scan, it identifies a conqnehensive set of vulnerabilities likely to be exploited during network 
attacks, and recommends corrective action. CSS prepares reports and data sets to support policy enforcement. 


(U) Descripfion: 

This test runs the CSS Security Scanner vulnerability assessment tool General features are described above. This test targets network 
vulnerabilities. 


fin Preparation : 

The Certification Test Team shall provide the CSS scanner with the latest vulnerability signatures. The System Administrator (SA) shall 
install the CSS scarmer where needed. 
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(?) Procedure : 


S<q> 

PlocMiurf 

iJtpetM Outcome 

Da» Tested 

Actual Outcome 

1 

Install Cisco Security Scanner on 
NT4 Server. 

Application should install properly. 

8/23/2002 

As expected 

2 

Execute the scanner tool setup 
procedures to test the target network. 

Setup should work properly. 

8/23/2002 

As expected 

3 

Execute the scan. 

Scanning should proceed without errors. 

8/23/2002 

As expected 


Compile and analyze the results. 
Detailed results will be included in a 
separate document. Summary 
statements of remaining vulnerabilities 
shall be contained in the Analysis of 
Results section 

All required secrrrity patches should be 
irrstalled 

No vulnerabilities impactir^ security 
requirements should be found. 

8/23/2002 

As expected 
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(?) Analysis of Results : 


(?) Pass/Fail : 



PMWFall. 


(U) DOJ 2640.2D 16.e. [Access controls shall be in place and operational for 
all Department IT systems to:] Enforce separanon of dunes based on roles and 
responsibilities. 

Pass 


(U) DOI 2640.2D 16.f. [Access controls shall be in place and operational for 
all Department IT systems to:] Protect the system, its data and applications, 
from unauthorized disclosure, modification, or erasure. 

Fail 

Telnet login in the clear and address cited in the router 
and access list 

(U) DOJ 2640.2D 16.g. [Access controls shall be in place and operational for 
all Department IT systems to:] For ^tems operating in the system high mode 
of operation, the system secimty features must have the technical ability to 
restrict the user's access to only that information which is necessary for 
operations and for which the user has a need-lo-know. 

Pass 
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AUTOMATED VULNERABILITY SCANS AND RESULTS 


(U) Test Case VS-01: Determine System Vulnerabilities Using the Internet Security Systems (ISS) System Scanner 

(U) D^riotion : This test runs the ISS System Scanner vulnerability assessment tooL The ISS System Scanner is a network-based security 
assessment and policy compliance soMotl System Scanner provides ongoing and decision-support reporting focused on the most critical aspects 
of managing risk. The Internet Scanner can perform scheduled and selective probes of communication services, operatir^ systems, key 
applications and routers. As it “scans,” System Scanner imcovers the most comprehensive set of vulnerabilities likety to be exploited during 
attempts to breach or attack your network and provides you with the necessary corrective action. System Scanner also prepares reports and data 
sets to support sound, knowledge-based poliey enforcement. 


(U) Preparation : The Certification Test Team shall provide the ISS System Scatmer with the latest vulnerability signatures. The System 
Adminislrator (SA) shall install the ISS Internet Scanner where needed. 

m X , - . . ^ 


Step 

Procedure. 

Expected Outcome . , , 

ESWf 1' 
Tested 

.\ctua1tbitcome 

1 

bistall the Internet Security Systems 
System Scanner on server. 

Test application should install properly. 

8-22-02 

As expected 

2 

Execute the scanner tool setup 
procedures to test system serverfs) for 
Internet Information Server 
vulnerabilities. 

Setup should work properly. 

8-22-02 

As expected 

3 

Execute the scanning as per setup. 

Internet function scanning should proceed 
without a problem. 

8-22-02 

As expected 
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step 

Pnimiure 

, r - i- , 

JUKpeeted OutcDine 

ii- vi i. 

Date 

TestttI 

Outeume 

4 

Compile and analyze the results. 
Detailed results will be included as an 
attachment to this document Summary 
statements of remaining vulnerabilities 
shall be contained in the analysis below. 

A properly configured server should not 
exceed this number and/or sevenqr of 
vulnerabilities. All required securi^ patches 
should be installed. 

8-22-02 

As expected 


(tOPassff'ail: 

Kcquircmcnt 


CoAimcnt 

(tJ) DOJ 2640.2D 7.h. Accreditations with conditions shall not be granted if 
^tem or ^plication vulnerabilities permit the following: 

(1) Breaches to the confidentialily and integrity fiinctions of the system or 
application and its data. 

Pass 


(U) DOJ 2640.2D 16.e, [Access controls shall be in place and operational for 
all Department IT ssAStems to;] Enforce separation of duties based on roles and 
responsibilities. 

Pass 


(U) DOJ 2640.2D 16.f. [Access controls shall be in place and operatioiral for 
all Departmerrt IT systems to:] Protect the system, its data and applications, 
from unauthorized disclosure, modification, or erasure. 

Pass 


(U) DOJ 2640.2D 16.g. [Access controls shall be in place and operational for 
all Department IT systems to:] For systems operating in the system high mode 
of operation, the ^tem security features must have the technical ability to 
restrict the user's access to orrly that information which is necessary for 
operations and for which the user has a need-to-know. 

Pass 
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Rcquiremetil 

imim 

Canimcnt 

(U) MIOG 35-9.3. 1(1): Prior to March 6. 2000, ADPT systems used for the 
processing of classified or sensitive information in the System Hi^ Security 
mode of operation must have the fimctionality of the C2 level of trust defined in 
the Department of Defense (DoD) 5200,28-STD, “Department of Defense 
Trusted Computer System Evaluation Criteria.” The Trusted Network 
Interpretation of the Trusted Computer System Evaluation Criteria, National 
Computer Security Center Technical Guide 005 (NSC-TG-005), provided 
guidance on achievmg C2 functionality in a network. On October 8, 1999, the 
National Security Agency issued the "Controlled Access Protection Profile 
(CAPP)" to replace the C2 standard. All future procurements of DOJ computer 
systems operating in System Hi^ Security Mode MUST meet CAPP security 
requirements from the above date forward. 

Pass 


(U) MIOG 35-9.3. l(4Xe): Access Control: For systems operating in the 
Systems High Security Mode of Operation, access control may be implemented 

Pass 


passwords, access control lists, disk encryption or other techniques, as defined 
in the approved system security plan. 
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(U) Test Case VS-03: Determine Windows Operating System Vulnerabilities Using the DISA Security Readiness Review 
Scripts 

(U) Features of the DISA Security Readiness Review (SRR^ Scripts : DISA Security Readiness Review (SRR) Scripts - These scripts are 
designed to check the access control of each system or database. 

(U) Description: This test runs the DISA Security Readiness Review scripts. Genetal features are described above. 


(U) Preparation : The CertiGcation Test Team shall provide the DISA SRR scripts. The system administrator (SA) shall install the DISA SRR 
script and batch files where needed. 


Ste 

P 

Pnu.'edure 

Kxprcted Dutconie 

Duty 

Tested 

Artual Outcome 

1 

Install the DISA SRR scripts and 
batch files on the network Primary 
Domain Controller. 

Test scripts should install properly. 

8/23/02 

As expected PDC is not setup for this 
canfiguratiort 

2 

Execute the test scripts. 

Server scatming should proceed 
without a problem. 

8/23/02 

As expected. 

3 

Compile and analyze the results. 
Detailed results will be included in a 
separate document. Summary 
statements of remaining 
vulnerabilities shall be contained in 
the analysis below. 

A properly configured server should 
not have an excessive nirmber and/or 
severity of vulnerabilities. All 

requital security patches should be 
installed 

8/23/02 

As expected 


(U) .>(r^ Analvsa of Results : It was noticed on both workstation and server that all auditii^ was not turned on. The system administrator said there was 

a resource issue when capturii^ all the auditing data. More details are included in tiie attached results. 

jUJ .^^JSjrtasaM: 


August 27, 2002 


PG-41 


LIMITED OFFICIAL USE ONLY 



o 


LIMITED OFFICIAL USE ONLY 


o 


System Security Plan (SSP) 

DCS 3000 

Pre-Certiflcation Test Results and Findings 


Requirement 


Comment 

(U) DOJ 2640.2D 16.a. [Access controb shall be in place and 
operational for all Department IT systems to:] Enable the use of 
resources such as data and programs necessary to fulfill job 
responsibilities and no more. 

Pass 


(U) DOJ 2640.2D 16.e. [Access controb shall be in place and 
operational for all Department IT systems to:] Enforce separation of 
duties based on roles and responsibilities. 

Pass 


(U) DOJ 2640.2D 16.f. [Access controb shall be in place and 
operational for aU Department IT systems to:] Protect the system, its 

erasure. 

Pass 


(U) DOJ 2640.2D 16.g. [Access controb shall be in place and 
operational for all Department IT systems to:] For systems operating 
in the system hi^ m<^ of operation, the system security features 
must have the technical ability to restrict the user's access to only that 
information which b necessary for operations and for which the user 
1 has a need-to-know. 

Pass 
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Hequiremcnt 

Ptmtd'ittt j Comment | 

(U) MIOG 35-9.3. 1(1): Prior to M»ch 6, 2000, ADPT systems used 
for the processing of classified or sensitive information in the System 
High Security mode of operation must haye the fiinctionality of the 
C2 level of trust defined in the Department of Defense (DoD) 
5200.28-STD, “Department of Defense Trusted Computer System 
Evaluation Criteria.” The Trusted Network Interpretation of the 
Trusted Computer System Evaluation Criteria, National Computer 
Security Center Technical Guide 005 (NSC-TG-005), provided 
guidance on achieving C2 fiinctionality in a network. On October 8, 
1999, the National Security Agency issued the "Controlled Access 
Protection Profile (CAPP)" to replace the C2 standard. All future 
procurements of DOJ computer systems operating in System Ifigh 
Security Mode MUST meet CAPP security requirements fiom the 
above date forward. 

Pass 


(U) MIOG 35-9.3. l(4Xe): Access Control: For systems operating in 
the Systems High Security Mode of Operation, access control rtuqr be 
implemented through discretionary access control techniques throu^ 
measures such as file passwords, access control lists, disk encryption 
or other techniques, as defined in the approved system security plan. 

Pass 
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WINDOWS 2000 SYSTEM POUCIES 

(U) Test Case PS-W2K-01: Verify System PoUdes 

(U) Descrfplion: This test identifies the elements of the Windows 2000 Securi^ Pofiiqr as configured on the target system, and verifies 
compliance with requirements. Windows 2000 Security Policy elements are grouped into categories including Account Policies (lockout and 
password), Local Policies (audit, user rights, and securiQr options), and IP Security. The hficrosofl: Management Console (MMC) is used to 
manage thiese security policy cat^ories at the domain, group, user and local system levels. 

(U) Preparation: The SA must be able to access the server. SA should provide, if available the preferred policy conf^uration settings for system 
servers and the basis for their use. 
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''SdTftocedure: 

Stop 

Procedure 

Date Tested 

Test Element 

. Kspcctod Outcome 

Actual Outcome 


1 

From the MMC Console on 
the domain controller, 
observe the Default Domain 
Policy object. (On a 
workstation or member 



Security Settings objects 
should include; 

Account Policies 
Loed Policies 
IP Security Policies 

As expected. 



server, observe the Local 
Computer Policy object). 

Observe the objects located 
under Comprder 
ConGguratian/Windows 
Settings/Security Settings. 



(Additional Security Settings 
otjects m^ include Event 
Log, Restricted Groups, 
System Services, R^isby, 
File Syaem, and Public Key 
Policies. At present, these 
additional objects are not 
managed via the MMC). 



2 

Observe the Account 


Password Policy 





Policies object, which should 
include the Password Policy 
and Account Lockout Policy 
objects. Open these two 
objects and verify that 
effective settings comply 
with requirements. 

i 





; 
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Slop 

Prori’ilure 

IMtt Tested 

Test liTement 

lixpected Outcome 

-Utual Outcome | 




Store password using 
reversible encryption 
for an users in the 
domain 

Disabled 

As etqiected 




Account I .ockout Polic 

y 1 




Account lockout 
duration 






Account lockoirt 
threshold 






Reset account 
lockout counter after 
(time) 



3 

Observe the Local Policies 


Audit Policy | 


object, which should include 
the Audit Policy, User 
Rights Assignment, and 


Audit account logon 

Success and Failure events 
audited 

As expected. 


Security Options objects. 
Open these three objects and 
verify that effective settings 
comply with requirements. 


Audit account 
management 

Success and Fanwe events 
audited 

Aserqrected. 



Audit dtrectoiy 
service access 

Success and Failure events 
audited 

Not activated. 


Requirements notes; 

The following roles can be 
removed: Operators 


Audit logon events 

Success and Failure events 
audited 

As expected. 


(Account, Backup, and 
Server), Guests, and Power 
Users. 


Audit object access 

Success and Failure events 
audited 

Not activated. 



Audit polity change 

Success and Failure events 
audited 

As expected. 
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DateTrtted 

TestEtobnt 

Expected Outcome 

Actual {liitcome 




Audit piivi^e use 

Success and Failure events 
audited 

As expected 




Audit process 

Success and Failure 
events audited 

As expected. 




Audit ^tem events 

Success and Failure events 
audited 

As expected. 




User Rights Assignment | 




Access this computer 
from the networit 

Administrators + (authorirsd 
groups) 

As e;^iected. 




Act as part of the 
operating system 

Admin 

Not assigned 




Add workstations to 
domain 

Admin 

N/A 




Backup files and 
directories 

Admin 

Backup Operators 

As expected 




Bypass traverse 
checking (prevents 
inheritance of 
permissions. Needed 
fornS). 

Admin (if nS is hosted on 
tins system, add Users) 

Backup operators and Power 
Users also have access. 
Admin and eveiyone. 




Change system time 

Admin 

As expected 




Create pagefile 

Admin 

As expected 




Debug programs 

Admin 

As excepted 
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im 

ProicUurc 

Date Tested 

Test Element 

l!\pecfedOnteoine 

.Utual Outcome 




Deny access to dus 
computer fiom die 

Admin 

Not assigned on server. 




Generate security 
audits 

Admin 

Not assigned on server. 




Increase (disk) 

Admin 

As expected 




Increase scheduling 

Admin 

Ase:q>ected 




Load and unload 
device drives 

Adndn 

As expected 




L(%on as a batch job 

(as audiorized and required) 

As expected. 




Log on locally (from 

(Depending on application 

THe foUowii^ group md 





anonymous users mi^t be 
permitted for workgroup 
webservers on protected 
networics. However, if all 
users can be authenticated to 
die Domain Controller, then 
only Admins, Domain Users 
and required inter-server 
connections would be 
permitted. ) 

locally: 

Backup Operators 

Power Users 

Users 

Admin 

Guest 




Manage auditing and 
security 

Admin 

As expected 
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Step 

Pruwdurc 

TlHte Tested 

Test Ulemeiit 

J&tpecled Outcome 

kctual Outcome 




Restore files and 
directories 

Adnun 

As expected 




Shut down the 
system 

Admin 

Backup Operator, Power 
Usas, Users, Admin 




Take ownership of 
files and other 


As expected 




Security Options | 




Addsdonai 
restricdoftt for 
anonymous 
cormecdoRS. 

No 

As expected 




Allow system to be 
shut down without 
having to log on 

No 

As expected 




Allowed to gect 
removable NTFS 
media 

Admin 

As expected 




Audit use of Backiq) 
and Restore privily 

Admin 

As expected 




Automatically lc% off 
users when logon 
time erqrires (local) 

No 

As expected 
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m 

Proiiilure 


Test Element 

Expected Outcome 

Actual Oukome 




Clear virtual memory 
pagefile when system 
shuts down 

Yes 

As expected. 




Digitany sign client 
communicalion 
(when possible) 

n/a 





Digital^ s%n server 
communication 
(when possible) 

n/a 





Disable 

CTRL+ALT+DEL 
requirement for 

No 

As expected 




LAN Manager 
Authentication Level 

Level 1 - Send LM & NTLM 
- use NTLMv2 (Kerberos) if 
negotiated. 

n/a 




Message text for 
users attemptiii@ to 
logon 

FBI Warning 

As expected. 




Prevent users from 
installing printer 

Yes 

As expected 




change password 
before expiration 

Yes 

As expected 




administrator account 

Yes 

As expected 


August 27, 2002 

LIMITED OFFICIAL USE ONLY 


PG-50 





LIMITED OFFICIAL USE ONLY 


System SecniHy Plan (SSP) 

DCS 3000 

Pre-Certiflcation Test Resnlts and Findings 


step 

ProcLilun,. 

Date Tested 

TestICIenient 

expected Outcome 

Actual Outcome 




Rename guest 
account 

No. (Must be disabled) 

Account disabled. 

Restrict CD-ROM 
access to locally 
logged-on user only 

Yes 

As expected 

Secure channel: 
Digitally encrypt 
secure channel data 
(when possible) 

n/a 


Unsigned driver 
installation behavior 

No. 

As ejqiected 

4 

Observe the EP Security 


IP Security Policy | 


Policy object Open the 
object and vedfy that 
effective settings comply 
with requirements. 
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Proieilure 

DateTesteU 

Test Element 

Expected Outcome 

Actual Outcome 




Client (Respond 
Only): 

Communicate 

nonnally 

(unsecured). Use the 
default response rule 
to n^otiate widi 
servers that request 
security. Only the 
requested protocol 
and port trafiSc with 
that server is secured. 

Yes 

No policy set for server or 
workstatiorL 




Secure Server 
(Require Security); 
ForalllPtrafiBc, 
always reqirire 
security using 
Kerberos trust. Do 
NOT allow 
unsecured 
communication widi 
untrusted clients. 

Not at this time 





Server (Request 
Securi^) For 

all IP trafSc, ahvt^ 
request security 
using Kerberos trust 
Allow unsecured 
communication widi 
clients that do not 
respond to request. 
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. - . .Reguirem^;: 

PassA-oH 

Comnicnt 

(U) MIOG 35-9.3. l(4Xa): User Identification: The ADPT system 
shall control and limit user access based on identification and 
aufiientication of the user. The identity of each user will be 
established positively before authorizing access. User identification 
and password systems support the minimum requirements of access 
control, least privil^e, and system integrity. 

Pass 


(U) MIOG 35-9.3. l(4Xb): Authentication: For ADPT systems 
requiring authenticafion controls the ADPT system shall ensure that 
each user of the ADPT system is authenticated before access is 
permitted. Currently use of a password system is the preferred 
method for authenticating users of FBI ADPT systems. More 
sophisticated authentication techniques such as retina scatmers or 
voice recognition systems must be cost-justified through the risk 
analysis process. If passwords are selected as the authentication 
mechairism passwords will be authenticated each time they are used. 
FIPS PUB 83 provides standards for authentication. 

Fail 

Password restrictions are lacking. 
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njutiuirement 

Fass/Firfl 

Comment 

(U) MIOG 35-9.3. l(4Xe); Access Control - For systems operating in 
the System Security Mode of Operadon, this nuty be 

implemented with discretionary access control techniques; throu^ 
measures such as file passwords, access control lists, disk encryption 
or other techniques, as defined in the approved system security plan. 
For ADPT systems operating in the compartmenled or multilevel 
security mode, mandatory access control (MAC) is required. MAC is 
a means of restricting access to information based on labels. A user’s 
label indicates what information the user is permitted to access and 
the type of access (e.g., read or write) that flte user is allowed to 
perform. An object's label indicates die sensitivity of the information 
that the object contains. A user's label must meet specific criteria 
defined by MAC policy in order for die user to be permitted access 
to a labeled object. This type of access control is atw^ enforced 
above any cfiscredonaty controls implemented by users. Printed: 
01/16/96. 

Pass 


(U) MIOG 35-9.4.2(2Xd); User accounts that have been inactive for 
over 90 days will be suspended. The person responsible for 
administering the access control mechanism is authorized to reinstate 
such accounts up to 1 80 days overalL User accounts that have been 
inactive for 180 days will be deleted and m^ only be reissued by die 
person authorized to approve access who is identified in the access 
control criteria and only to an individual who has been authorized 
access. 

Pass 


(U) DOJ 2640.2D 18.a, [Department IT systems that use passwords 
as the means for authendcadon shall implement at least the following 
nunimum features:] Require the system administrator to issue initial 
passwords. 

Pass 
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Bequimnenf 

PastUb^tia 

Comment 

(U) DOJ 2640.2D 18.b [Dep^lnient IT systems that use passwords 
as die means for authentication shall implement at least the following 

Fail 

b 

b 




1 

Fail 



1 

Pass 



l_ 

Pass 


1 


Fad 


(U) DOJ 2640.2D 18.g. pepartment IT systems that use passwords 

Pass 


minimum features:] Disable user accounts after no more than four 
consecutive invalid attempts are made to supply a password, and 
require the reinstatement of a disabled user account by an 
admimstrator. 
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WINDOWS 2000 IDENTIFICATION AND AUTHENTICATION TEST SCRIPTS AND RESULTS 

(U) Test Case IA-02: Test Password Requirement for System Access 

(U) Description: This test confimis that the password belonging to tiiat UserlD is required for autiientication and that any new password has to 
conform to requirements. It also checks that no password caching exists on the woricstations examined. 

(U) Preparation: System workstations shall be powered on, and logged in using (he test user aceount created in the standard manner for the 
sjrstem, and made available to the testing staff For Step 3, the ^em administrator must logon to one or more of each workstation type, as 
determined fay baseline version.. Step 3 requires the examination of tire local workstation registry. The system administrator should backup the 
registry if he/she is concerned about possible registry corruption during this test 
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(U) 




I 


Testing staff shall l<^on to the test 
account, using the temporary 
password 

Test person shall enter and confirm 
new password that satisfies 


Test person shall attempt to l(%on 
using misspelled passwords more 
than the m 
allowed ( 4). 

Administrator shall re 
to de&ult after 1<^ failure. 

Testing staff shall logon to the 
network using the new account and 
a new valid password 
Repeat, entering a different valid 
password and confirm it. 




User should be required to change 
password on first attempt after reset 
Test person using new account created 
should be prompted to change password 
Account should be locked if maximum 
number of attempts is exceeded 
Lr^on after restoration should be 
successfuL 

Attempting more than one successful 
change to a password in one day should 
fiiiL (Repeated changes to return to a 
fitvorite password shotdd be 
discouraged) 


Date 
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Procedure 


Kxpetted Oitteome 


bate 

Tested 


-\ctuat Outcome 


At each Windows NT workstation 
used in the previous steps, the SA 
shall 1(^ on as an Administrator. 

The SA will run the R^tiy Editor 
pri^ram (regedit or r^edt32) and 
select the following key: 
HKEY_LOCAL_MACHINE\ 
SOFTWARE. 


Under no circumstaitces shall passwords 
be cached so to defeat their required use 
during system logotL However, local 
logon may be synchronized with the 
network logon diat is controlled by an 
accredited server identification and 
authentication mechanism. 

The following should be found for 
Windows 9x and NT- 
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(S) Analysis of Results : Password filtering was not turned on for the workstation or the server. 
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1. INTRODUCTION 

1.1. System Description 

DCS-3000 is a computer-based intelligence collection systems used by FBI personnel to 
record intercepted conversations into computer memory using digital technology. In 
addition to producing much higher quality and clearer recordings than the old tape 
technology, the use of this computer-based technology: 

• Allows the field agent to easily and efficiently manage the recordings electronically 
(Rather than having to sort, retrieve, and physically manipulate hundreds of tapes, an 
agent can find and listen to any previously recorded conversation with a few 
keystrokes on a computer.) 

• Facilitates the review and examination of the information 
9 Dramatically increases the efficiency of trial preparations 

» Allows for the application of innovative techniques such as faster or slower playback, 
looping through selected portions of intercepts, and even the instantaneous playback 
of file beginning of a lengthy conversation while the conversation is still ongoing 

• Supports the Field Translation Center concept, in that electronic (or digital) files of 
Criminal Law Enforcement (CLE) Title III intercepts can be transferred to a remote 
or distant field office for translation or transcription 

• Exponentially increases the utility and value of computer-based intercepts 

The DCS-3000 system is deployed in central monitoring plants (CMP) located in FBI 
field offices and at the FBI Engineering Research Facility (ERF). Access to the field 
office buildings and the ERF is controlled by use of security guards, visitor badges, and 
visitor logs. Visitors are escorted at all times while in a field office building and at the 
ERF. Field office personnel monitor operations within the CMP, and operations are 
physically separated according to type and function (i.e., Title III versus Foreign 
Intelligence Surveillance Act [FISA] and computer operations versus case monitoring). 

FBI professionals, who have been well screened, cleared, and trained for the operations 
they perform, operate and use the system in a physically secure, climate-controlled 
environment. The system is easy to use, and personnel duties are clearly defined and 
appear to be commonly understood so stress levels for system users, regardless of their 
positions, are fairly low, especially in light of the types of work they do. 

1.2. Risk Assessment Approach 

The risk assessment for this system was conducted through: 

• A security assessment of the DCS-3000 system was conducted during the period May 
2, 2006 to verify closure of open vulnerabilities. 

• Personal interviews with DCS-3000 program management and technical personnel. 
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2. RISK ASSESSMENT RESULTS 

This section provides detailed DCS-3000 risk assessment results that were derived from 
the initial pre-certification testing. Vulnerabilities and threats have been paired by 
severity of risk after all applicable existing safeguards relative to them have been taken 
into account. It is important to note that multiple vulnerability/threat pairs may be 
discussed by vulnerability if similar safeguards cmi mitigate the pairs. Test results were 
generally favorable and justified no ftirther testing of this system for the purposes of this 
C&A effort. 

For each vulnerability/threat pair, the following information is included in narrative form: 

• The vulnerability/threat pair number (e.g., 1, 2, etc.) 

• Vulnerability/threat pair description (in italics) 

• Description of the probable impact on the pair and analysis of the impact (also in 
italics) 

• Planned or recommended controls or alternative options for reducing risks 

2.1. Risk Assessment 

2.1.1. H^h Risk Vulnerability/Threat Pairs 

The following are the remaining high-risk vulnerability/threat pairs that are drawn from 
the initial RMM table. There are seven operational aspects of this collection system that 
appear to be at high risk. Overarching mitigating factors for these risks include the DCS- 
3000 working environment at each operating location (i.e., FBI field office, resident 
agency (RA) office, etc.) that is ti^tly controlled and protected by multi-layered physical 
security, and the personnel within it, who participate in electronic surveillance (ELSUR) 
operations and must undergo a thorough and comprehensive screening process in order to 
be granted an FBI Top Secret clearance before being authorized to perform their tasks. 

The following are the validated closed and remaining associated high-risk vulnerability 
pairs below: 

1. There is no anti-viral software loaded on the DCS-3000 machines. If malicious 
code, viruses, and/or executables are introduced, there will be potential for risk to 
the system or compromise of data, thereby compromising evidence contained 
therein. 

Current Status : 

• Verified Closed: McAfee 4.5.1 installed with Virus updated 05/05/2006 

2. There appears to be no password management in evidence. This practice will 
allow an unauthorized individual access to the system, compromising the system 
and any attached systems. Thereby, any evidence gained would be invalidated. 

Current Status : 

• Verified Closedl | 
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3. Successive failed logon attempt lockout is not enabled. Without a lockout policy, 
an unauthorized user would have infinite attempts to gain access to the system. 

Current Status : 

• Verified Closed: Accounts lock out after three attempts and must be reset by 
admin. 

5. Workstations associated with the system do not enforce adequate user 
permissions. Improperly configured machines do not adhere to the least privilege 
principle. This practice could potentially give a user access and rights not 
warranted for by their position. 

Current Status: 

• Remains Open: Software required to run with admin privileges. See SSP. 
Planned or Recommended Remedial Action : 

• Recommend the implementation of workstation permissions to give least 
privilege access. 

6. The improper account (i.e. guest or administrator) configurations do not provide 
the facility for adequate auditing. 

Current Status: 

• Verified Closed: Guest account is disabled and the Administrator account is 
renamed. 
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8. The Telnet login process is accomplished in the “clear”. This practice 
compromises the user ID and password information. 

Current Status: 

• Verified Closed: Telnet is not being used. 

2.1.2. Medium Risk Vulnerability/Threat Pairs 

The following medium-risk vulnerability/threat pair is drawn from RMM table below. 
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4. Auditing was found to be inadequate. Tracking users’ actions will allow records 
to be kept for accountability purposes. These records can be used for investigations 
and to track system or network problems for troubleshooting purposes. 

Current Status: 

• Verified Closed: Routers syslog and systems event viewer is set to record all 
events. 


This assessment was conducted to verify remaining vulnerabilities; however, due to age 
of the original test report and proposed changes to the current architecture a full system 
security assessment is required. These requirements are being added to the DCS-3000 
Plan of Action and Milestones (POA&M) as risk management items that require the 
appropriate attention for resolution. 
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1. INTRODUCTION 

1.1. System Description 

DCS3000 is a computer-based intelligence collection systems used by FBI personnel to 
record intercepted conversations into computer memory using digital technology. In 
addition to producing much higher quality and clearer recordings than the old tape 
technology, the use of this computer-based technology: 

• Allows the field agent to easily and efficiently manage the recordings electronically 
(Rather than having to sort, retrieve, and physically manipulate hundreds of tapes, an 
agent can find and listen to any previously recorded conversation with a few 
keystrokes on a computer.) 

• Facilitates the review and examination of the information 

• Dramatically increases the efficiency of trial preparations 

• Allows for the application of innovative techniques such as faster or slower playback, 
looping through selected portions of intercepts, and even the instantaneous playback 
of the beginning of a lengthy conversation while the conversation is still ongoing 

• Supports the Field Translation Center concept, in that electronic (or digital) files of 
Criminal Law Enforcement (CLE) Title III intercepts can be transferred to a remote 
or distant field office for translation or transcription 

• Exponentially increases the utility and value of computer-based intercepts 

The DCS3000 system is deployed in central monitoring plants (CMP) located in FBI 
field offices and at the FBI Engineering Research Facility (ERF). Access to the field 
office buildings and the ERF is controlled by use of security guards, visitor badges, and 
visitor logs. Visitors are escorted at all times while in a field office building and at the 
2 
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ERF. Field ofBce personnel monitor operations within the CMP, and operations are 
physically separated according to type and fiinction (i.e.. Title III versus Foreign 
Intelligence Surveillance Act [FISA] and computer operations versus case monitoring). 

FBI professionals, who have been well screened, cleared, mid trained for the operations 
they perform, operate and use the system in a physically secure, climate-controlled 
environment. The system is easy to use, and personnel duties are clearly defined and 
appear to be commonly understood so stress levels for system users, regardless of their 
positions, are fairly low, especially in light of the types of work they do. 

1.2. Risk Assessment Approach 

The risk assessment for this system was conducted through; 

• An initial pre-certification test (i.e., vulnerability assessment) of the DCS3000 system 
during the period August 22-23, 2002. 

• Personal interviews with cognizant DCS3000 program management and technical 
personnel. 

• Analysis of FBI field-office personnel surveys 

2. RISK ASSESSMENT RESULTS 

This section provides detailed DCS3000 risk assessment results that were derived from 
the initial pre-certification testing. Vulnerabilities and threats have been paired by 
severity of risk after all applicable existing safeguards relative to them have been taken 
into account. It is important to note that multiple vulnerability/threat pairs may be 
discussed by vulnerability if similar safeguards can mitigate the pairs. Test results were 
generally favorable and justified no further testing of this system for the purposes of this 
C&A effort. 

For each vulnerability/threat pair, the following information is included in narrative form: 
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• Planned or recommended controls or alternative options for reducing risks 

2.1. Risk Assessment 

2.1.1. High Risk Vulnerability/Threat Pmrs 

The following are hi^-risk vulnerability/threat pairs that are drawn from the RMM table. 
There are seven operational aspects of this collection system that appear to be at high risk 
but easily mitigated. Overarching mitigating factors for these risks include the DCS3000 
working environment at each operating location (i.e., FBI field office, resident agency 
(RA) office, etc.) that is tightly controlled and protected by multi-layered physical 
security, and the personnel within it, who participate in electronic surveillance (ELSUR) 
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operations and who must undergo a very thorough and comprehensive screening process 
in order to be granted an FBI Top Secret clearance before being authorized to perform 
their tasks. 

The following are the associated high-risk vulnerability pairs drawn from the RMM table 
below: 

1. There is no anti-viral software loaded on the DCS3000 machines. If malicious code, 
viruses, and/or executables are introduced, there will he potential for risk to the system 
or compromise of data, thereby compromising evidence contained therein. 

Planned or Recommended Remedial Action : 

• Install FBI approved anti-virus software on all servers and workstations. 

• System administrators ensure all virus signatures are updated weekly or as needed. 

2. There appears to be no password management in evidence. This practice will allow an 
unauthorized individual access to the system, compromising the system and any attached 
systems. Thereby, any evidence gained would be invalidated. 

Planned or Recommended Remedial Action : 


b7E 


3. Successive failed logon attempt lockout is not enabled. Without a lockout policy, an 
unauthorized user would have infinite attempts to gain access to the system. 

Planned or Recommended Remedial Action : 

• Account lockout duration 

• Account lockout threshold (i.e. 3 attempts) 

• Unlock procedures 

5. Workstations associated with the system do not enforce adequate user permissions. 
Improperly configured machines do not adhere to the least privilege principle. This 
practice could potentially give a user access and rights not warranted for by their 
position. 

Planned or Recommended Remedial Action : 

Recommend the implementation of workstation permissions to give least privilege 
access. 
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6. The improper account (i.e. guest or administrator) configurations do not provide the 
facility for adequate auditing. 

Planned or Recommended Remedial Action : 

Recommend deleting the guest accounts and renaming the administrator accounts. 
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8. The Telnet login process is accomplished in the “clear”. This practice compromises 
the user ID and password information. 

Planned or Recommended Remedial Action : 

Recommend a secure Telnet implementation. 

2.1.2. Medium Risk VulnerabUity/Threat Pmrs 

The following medium-risk vulnerability/threat pair is drawn from RMM table below. 

4. Auditing was found to be inadequate. Tracking users actions will allow records to be 
kept for accountability purposes. These records can be used for investigations and to 
track system or network problems for troubleshooting purposes. 

Planned or Recommended Remedial Action : 

Recommend implementing workstation and server auditing and log dumps on a daily 
basis to reduce impact on resources. 

Overall, recommend Senior FBI management personnel should take a very active role in 
support of a comprehensive FBI INFOSEC program. As part of this program, a 
comprehensive FBI information security (INFOSEC) training program should be 
developed and implemented throughout the FBI. Also, unit-level, job-specific INFOSEC 
training should be strongly encouraged or mandated. 
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FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 05/2/2006 


To: Operational Technology Attn: 

Security Attn: 


From: Security 

Information Assurance/Accreditation/SPY- 

Contact : 


atioa 


.^proved By: 

Drafted By: 

Case ID #: 319U-HQ-1487677-SECD-275 
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Title: IT SYSTEMS SECURITY RISK ANALYSES 

INFORMATION ASSURANCE SECTION (IAS) 
ACCREDITATION UNIT (AU) 

DIGITAL COLLECTION SYSTEM 3000 (DCS-3000) 
ACCREDITATION DECISION: 

SECURITY CHARACTERISTIC AND TIER LEVEL 
DESIGNATION FOR DCS-3000 


Synopsis: Designate the DCS-3000 Tier Level, Mode of Operation, 

determine the Confidentiality, Integrity, Availability Levels, 
Boundary description, and name the key Certification and 
Accreditation Team Members. 


Administrative: DCS-3000 Accreditation Boundary Diagram, dated 

05/1/2006. 

Details: As a result of correspondence and meetings with the 

Accreditation Representative, Information System Security 
Manager, Information System Security Officer, Certification 
Representative, the DCS-3000 Program Manager and System 
Administrator, the following security characteristics and Tier 
Level have been determined and agreed upon. 

The Levels of Concern (LoC) are Medium for 
Confidentiality, Medium for Integrity, and Medium for 
Availability. DCS-3000 is a Sensitive but Unclassified (SBU) 
system operating in the System High Mode of Operation. The DCS- 
3000 has been assessed as a Tier Level 2 in accordance with the 
FBI Certification and Accreditation Handbook. 
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To: Operational Technology From: Security 

Re: 319U-HQ-1487677-SECD, 05/2/2006 


The DCS-3000 application suite was developed to assist 
Law Enforcement Agencies (LEA) with collecting and processing 
data for court-ordered Electronic Surveillance (ELSUR) 
operations. The DCS-3000 collects J-STD-25 data from the 
Telecommunications Service Provider (TSP) and stores it at the 
LEA site. 


The DCS-3000 application suite consists of five (5) 
component applications residing on one or more workstations. The 
components of the DCS suite used to support a particular 
requirement depend upon the type of surveillance to be conducted, 
the switch providing the data, the telecommunications service 
provider, and availability of equipment at the field office. 

The Certification and Accreditation Team Members are: b7C 


System Owner: | | 

Information System Security Officer: 
System Administrator: 

Information System Security Manager: 
Certification Representative: 
Accreditation Representative: 
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To: Operational Technology From: Security 

Re: 319U-HQ-1487677-SECD, 05/2/2006 


LEAD(S) : 

Set Lead 1: (Info) 

OPERATIONAL TECHNOLOGY 
AT QUANT I CO. VA 

Notify the ISSM if there are any changes to DCS-3000 
that could impact its designation of the Tier Level, Levels of 
Concern, Mode of Operation, and accreditation boundary. 

Set Lead 2: (Info) 

SECURITY 

AT WASHINGTON. DC 
For information only. 
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FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 05/28/2003 

To: Investigative Technology Attn: I 
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Drafted By: | | mgin 

Case ID #: 66F-HQ-A1403623-J Serial# 92 
Title: ACCREDITATIONS 

NOTIFICATION OF ACCREDITATION DECISION FOR THE DATA 
COLLECTION SYSTEM 3000 (DCS3000) 


From: Security 

IAS/AU/4282 

Contact : | 


] (202) 324 □ 


J^proved By: 




Synopsis: To notify the system owner of the Data Collection System 

3000 (DCS3000) accreditation and address an outstanding action 
item. 


Reference: 66F-HQ-C1333650-DCS3000 

Details: The Security Division's Accreditation Unit (AU) has 

completed the requested review of the System Security Plan (SSP) 
and the Risk Report dated December 17, 2002 and received March 25, 
2003. Resulting from this review, the Designated Accrediting 
Authority (DAA) has accredited the DCS3000 from May 28, 2003 
through May 27, 2006. 

The DCS3000 was assessed as a Tier 2 system with 
Confidentiality - High, Integrity - High and Availability - Medium. 
The system is accredited to operate at the SBU level. Dedicated 
Security Mode of Operation. 

The DCS3000 accreditation is contingent upon developing 
and implementing audit retention and review procedures within 180 
days. The Information Technology Security Unit (ITSU) will provide 
verification to the AU of audit retention and review procedures 
within this time frame. Maintaining a current accreditation status 
is subject to completing this action as well as to the continued 


ALL IlIFORHATION COI-rTAII'ED 
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To: Investigative Technology From: Security 

Re: 66F-HQ-A1403623-J, 05/28/2003 


adherence to the provisions of the SSP. In particular, all media 
copied or downloaded from the DCS3000 must be scanned for malicious 
code with the latest available virus scan updates before 
introducing information to any application residing on FBINET. 
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To: Investigative Technology From: Security 

Re: 66F-HQ-A1403623-J, 05/28/2003 


LEAD (s) : 

Set Lead 1: (Action) 

INVESTIGATIVE TECHNOLOGY 
AT WASHINGTON. DC 

Develop and implement audit retention and review- 
procedures within 180 days. 


cc H I 
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U.S. Department of Justice 


Federal Bureau of Investigation 


Washii^iton. D. C. 20535-0001 

May 28, 2003 


Mr. D. Jerry Rublno 
Department Security Officer 
U.S. Department of Justice 
RFK Building 
Room 6525 

Washington, D.C., 20530 


Dear Mr. Rubino: 

The purpose of this communication is to notify DOJ of 
the Data Collection System 3000 (DCS3000) accreditation. 

The system is certified to operate at the SBU level. 
Dedicated mode of operation. It was assessed by the certifier as 
a Tier 1, Protection Level 1 system with Confidentiality - Medium, 
Integrity - Medium and Availability - Medium. 

The Security Division's Accreditation Unit conducted 
the DCS3000 accreditation in accordance with the requirements set 
forth in Bureau, Departmental, and National policy. 

Accreditation is granted for a period of three years or until 
major changes affecting the security profile of the system are 
made. The accreditation period is from May 28, 2003 and will 
expire May 27, 2006. 


Sincerely, 


Enclosure 


William L. Hooton 
Executive Assistant Director 
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U.S. Department of Justice 


Federal Bxjreau of Investigation 


Washington. D. C. 20535-0001 


May 28, 2003 


Mr J ^ ^ 1 

Certification Officer 

Federal Bureau of Investigation b6 

Room 9396 b7C 

Washington, D.C. 20535 

Dear Mr. 1 ~1 


The purpose of this communication is to accredit the 
Data Collection System 3000 (DCS3000) . The Security Division's 
Accreditation Unit has completed the requested review of the 
System Security Plan (SSP), dated December 17, 2002 and received 
March 25, 2003. 

The system is certified to operate at the SBU level. 
Dedicated mode of operation. It was assessed by the certifier as 
a Tier 1, Protection Level 1 system with Confidentiality - Medium, 
Integrity - Medium and Availability - Medium. 

The Security Division's Accreditation Unit conducted 
the DCS3000 accreditation in accordance with the requirements set 
forth in Bureau, Departmental, and National policy Accreditation 
is granted for a period of three years or until major changes 
affecting the security profile of the system are made. The 
accreditation period is from May 28, 2003 and will expire May 27, 
2006. 


ACCREDITATION STATEMENT FOR THE 
DATA COLLECTION SYSTEM 3000 (DCS3000) 

Sincerely, 


ALL IHFOEKATIOH COHTAHIED 
HEBEBI IS OTCLASSIFIED 

DATE 05-25-2007 BT 6S179/DHH/KSR/LHF William L. Hooton 

Executive Assistant Director 
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FEDERAL BUREAU OF INVESTIGATION 


Precedence : ROUT I NE 


Date: 12/19/2002 


To: Director's Office 

Information Resources 


Attn: 


Mr 

Mr 

Ms 


loom 7128 
loom 4272 
, Room 4282 


From: Director's Office 

Security Division, Information Assurance Section (IAS) 
Room 9 3 9 (S _ 

Contact: I 1 202-1 
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i^^roved By: 


Drafted By: | | j s 


Case ID #: 66F-HQ-C1333650-DCS3000 (Pending) 


Title: SYSTEM CERTIFICATION AND ACCREDITATION 

Data Collection System (DCS) 3000 


Synopsis: This EC documents the security certification and 

recommends the type accreditation of the DCS3000. In accordance 
with the provisions of 0MB Circular A-130 and in general 
conformance with NSTISSI No. 1000, National Information Assurance 
Certification and Accreditation Process (NIACAP) , guidance, the 
DCS3000 is hereby certified as providing the safeguards and 
security features required for secure operations. 

Details: The DCS3000 system is certified to operate at the 

sensitive-but-unclasslf ied (SBU) level and the system-high mode 
of operation. All users have formal access and need to know for 
all information on the system. 

The IAS Test Team conducted a comprehensive pre- 
certification system vulnerability assessment (P-SVA) of this 
system. The favorable results of the P-SVA eliminated the need 
for any further follow-on testing of this system. However, an 
action plan was developed to address the P-SVA findings/system 
vulnerabilities documented in the assessment and has been 
included in Section 5 of the enclosed DCS3000 System Security 
Plan. The action plan shows that corrective actions for all 
findings have been accomplished, and that all findings have been 
closed with associated risks mitigated as of DeceiTiber 16, 2002. 
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To; Security From: Director’s Office 

Re: 66F-HQ-C1333650-DCS3000, 12/17/2002 


Recommend the DCS3000 system be type accredited for 
continued operation. 
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To: Security From: Director's Office 

Re: 66F-HQ-C1333650-DCS3000, 12/17/2002 


LE^(s) : 

Set Lead 1 : 

SECURITY 


The Accreditation Unit in the Security Division should 
review the DGS3000 documentation and determine the accreditation 
status . 


Set Lead 2: 


LABORATORY 

AT WASHINGTON. DC 
For information only. 

CC: 1 - Mr . I |loom 9396 

3 

FBI Engineering Research Facility 
FBI Engineering Research Facility 
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FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE 


Date: 05/28/2003 


To: Director's Office 


Attn: William L. Hooton 


From: Security 

IAS/AU/42p 

Contact : L 


^proved By: 


Drafted By: 
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Case ID #: 66F-HQ-A1403623-J 

Title: ACCREDITATIONS - REQUEST FOR ACCREDITATION DECISION FOR 

THE DATA COLLECTION SYSTEM 3000 (DCS3000) 


b6 
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Synopsis: To request an accreditation decision by the DAA for 

the Data Collection System 3000 (DCS3000). 

Reference: 66F-HQ-C1333650-DCS3000 

Details: The Data Collection System 3000 (DCS3000) is certified to 

operate at the SBU level. Dedicated mode of operation. It is a 
Tier 1, Protection Level 1 system with Confidentiality - Medium, 
Integrity - Medium and Availability - Medium. 

The DCS3000 is an electronic surveillance (ELSUR) 
collection system that supports criminal law enforcement (CLE) 

Title III criminal investigations. The DCS3000 application suite 
resides on a Windows 2000 platform. Although the system is 
connected only to a Telephone Service Provider for passive 
monitoring, data is transferred daily, via removable media, to the 
Telephone Application (TA) on FBINet. The completion of actions 
detailed in an EC from Security, Case ID #66F-HQ-A1403623- J, to 
Investigative Technology dated 05/28/2003 will minimize the risk to 
FBINET. 


The Security Division's Accreditation Unit conducted the 
DCS3000 accreditation review in accordance with the requirements 
set forth in Bureau, Departmental and National policy. Favorable 
approval by the DAA will accredit the DCS3000 for a period of three 
years or until major changes affecting the security profile of the 
system are made. The accreditation period is from May 28, 2003 and 
will expire May 27, 2006. 
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To: Director's Office From: Security 

Re: 66F-HQ-A1403623-J, 05/28/2003 


LEAD(S) : 

Set Lead 1 : (Action) 

DIRECTOR'S OFFICE 

AT EADADMIN. DC 

Request an accreditation decision for the Data 
Collection System 3000 (DCS3000) • 

♦♦ 
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DCS3000 

System Rules of Behavior 
APPENDIX D 


March 13, 2003 


i^finarsdror; , 

Ms.| 1 

Chie:^ Legacy System CCTtilication (LSCU) 
Federal Bureau of Investigation 
935 Pennsylvania Avenue, NW 
Room 1302 

Washington, DC 20530 
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Prepared By: 

The LSCU Green Team 
FBIHQ 
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1.0 INTRODUCTION 

Prior to receiving access to DCS3000, all users shall be required to review the DCS3000 Rules of 
Behavior. These Rules of Behavior apply to all users of DCS3000. By signing this document, the 
user acknowledges that he or she understands and accepts these responsibilities and will make every 
effort to comply with them. Copies of these rules of behavior must be provided to all new users of 
DCS3000 before they are granted system access. 

Security is important for everyone. All users of DCS3000 resources should be aware that the 
system as a whole contains valuable and sometimes sensitive government information, which must 
be protected to prevent disclosure, unauthorized changes, and loss. Each part of the system can 
introduce vulnerabilities to the whole, so protection must be consistent in order to be effective. 

1.1 Purpose 

The purpose of the DCS3000 Rules of Behavior is to implement baseline security requirements for 
all program managers (PM), system administrators (SA), information systems security oflScers 
(ISSO), and users of the system. This document states individual’s security responsibilities as users 
of the system. 

1.2 Compliance 

The DCS3000 Rules of Behavior are based on the principles described in the Computer Security 
Act of 1987 to protect sensitive information. More specific user responsibilities are set forth in the 
FBI Manual of Investigative Operations and Guidelines (MIOG) and in other regulatory documents 
such as the Code of Ethics for Government Employees, OfSce of Personnel Management (OPM) 
regulations. Office of Management and Budget (OMB) regulations, and the Standard of Conduct for 
Federal Employees. The DCS3000 Rules of Behavior carry the same responsibility for compliance 
as these ofScial documents. Users who do not comply with these rul^ are subject to penalties that 
can be imposed under existing policy and regulations, including official, written reprimands, 
suspension of system privileges, temporary suspension fi-om duty, removal fi’om current position, 
termination of employment, and even criminal prosecution. The FBI will enforce the use of 
penalties against any user who willfully violates any DCS3000 or federal system security (and 
related) policy. 

1.1.2 User Information and Contacts 

Y our supervisor or system aAninistrator should furnish you with the following information when you 
are granted authorized user privileges on DCS3000. After that, it is your responsibility to stay up-to- 
date on the key personnel and phone numbers. You should know: 

• Y our unique personal identifier (user ID) on file system; Y our user ID will be used to 

control your access to parts of the system and for auditing your activities on the system 
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• Y our password on the system; Ihe system will ask for your password to authenticate your 
identity, before granting you access. You may get a temporary password; if you do, the 
system will ask you for a new one the first time you log on. You should also be notified of 
any requirements for password length, content, duration, etc. Never write your password 
down. 

• Y our access privileges; your access privileges may be limited to a specific list of file areas, 
programs, and activities. 

You should know who the following individuals are and how to contact them; 



Descripfiqti of Duties: 

Telephmie; 

Project Manager 

Project manager for DCS3000 activities. 


1 

Information Systems Security 
Officer (ISSO) 

Ensures that the information system is 
implemented with appropriate security 
features and meets the minimum security 
requirements. 

1 

DCS3000 Senior System 
Technical Representative 

Serves as senior technical advisor for all 
DCS3000 issues 

1 1 

Switch-Based Intercept 
Program Manager 

Serves as POC for all DCS3000 switch- 
based intercept issues 

J . - 

User Representative 

Serves as spokesman for all DCS3000 user 
issues. 

1 

Supervisor (in the specific 
location) 

Requests access for, or termination of 
service, to the Information system. 
Requ^ts the establishment and deletion of 
directories. 

TBD 


Table 1: Contacts 
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1.1.3 The DCS3000 Environment 

General Information 

All DCS3000 users must read and abide by these rules of behavior. 

All FBI ADPT systems are for ofiBcial business only. System users have no expectation of privacy 
while utilizing these resources. 

Sensitive and Classified Data Considerations 

Classified national security information (i.e., Confidential, Secret or Top Secret information) will 
not be processed on any DCS3000. 

All DCS3000 output that contains LOUO information will be so marked or labeled by the user who 
generated the material, and then stored or transmitted with appropriate protection. The designation 
“Limted OfiBcial Use Only” will be marked, stamped or permanently affixed to the top and bottom of 
the outside of the front and back covers (if any), on the title page and on all pages of documents or 
information requiring such control. All diskettes or other magnetic media containing sensitive 
information will be similarly labeled and stored in locked containers (e.g., desks, filing cabinets, 
etc.). 

LOUO documents that are no longer needed should be shredded. 

Magnetic media (e.g., diskettes and hard drives) that have been used for LOUO information may 
contain sensitive information even after the LOUO files are deleted. The information may be 
recoverable, even if a normal directory listing of the medium says it is empty. Before discarding 
magnetic media, users should do one of the following: 

• Degauss the media (erase all magnetic patterns) 

• Destroy the magnetic medium physically (e.g., open the plastic floppy disk casing, remove 
the disk, and shred it) 

• Use an approved software program to completely delete all files on the medium and 
overwrite them with ones and zeroes 

If you need assistance in disposing of magnetic media, consult your system achninistrator or ISSO. 
Passwords 

The following password management policy is taken from the DOJ 2640.2D or the FBI MIOG. 

• Do not record your password in writing. 

• Do not share your password or accept another user’s password if offered. Shying passwords 
defeats the system's user identification and authentication mechanisms. In addition to 
sharing access privileges, participants share liability for any unauftiorized behavior traced to 
the shared UserlD and password. 
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• System administrators have no way to look up your password. Ifyou forget it, your system 
administrator will have to change it and make you pick a new password. 

• The system will prompt you to change your password every 90 days. 

• A new password cannot be one you used recently. The system will not allow the use of any 
of the last six passwords used. 

• If there is a reason, you may change your password before the end of 90 days. 

• Users will be locked out of the system after four consecutive incorrect password entries and 
will be required to contact the system administrator. 



• A user’s screen saver password should have the same characteristics as the password used to 
log-on to DCS3000, but will be different from the system password. 


Your password should be something you can easily remember. 

Passwords should not be something that another individual can guess. Therefore, do not use 
the name of your spouse, pet(s), or children. Passwords that contain a word(s) is (are) 


essed bv software routines that check 


r word in the dictio 


1.2 Interacting With Administrators 

Occasionally, users need to call upon administrators at various levels in order to obtain services or meet 
requirements for the task at hand. Some routine occasions are listed below. 

• When you start a new job, or your job description changes, coordinate your DCS3000 
access requirements and parameters with your supervisor. 

• When you need to obtain memb^ship in a shared directory, or change or terminate your 
membership privileges, see your supervisor and the owner of that directory. 

• When you need other access privileges in order to do your job, notify your supervisor. 
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• When you find that your access to 1X^83000 resources is beyond what you need to do your 
job, notify your supervisor. 

• In the event of a DCS3000 system crash during the absence of the system administrator, 
users will look in the office safe for instructions, UserlD and Password for the alternate 
system administrator account and reboot the system. 

When you need to remove any computer resource from DCS3000 premises, see your supervisor for 
approval; follow FBI regulations when removing any devices from the premise. Resources may 
only be removed from DCS3000 premises for official use. 

1.3 Configur^an Management 

Configuration management addresses changes to DCS3000. It is important to understand that 
changes, (minor or major) to the system can greatly effect it’s security posture. Changes must be 
identified, reviewed, and possibly evaluated prior to incorporating them into the system. The 
Configuration Management Board, along with the Information Assurance section within the Bureau, 
will review and decide if the changes require re-certification of the system. 

U.l Things You May Change 

You may share directories and files, provided you limit the number of people who can access your 
files. 

If you do share directories or files, you may change the list of users with access, as needed. You 
should review this list, at least quarterly, to ensure it is limited to people who need access. 

You may change the Windows "wallpaper" background on your workstations and or servers. The 
only requirement is that of good taste. 

1.3.2 Things You May Not Change 

Do not install any software onto your woikstation or any other DCS3000 resources. Only the 
DCS3000 system axfaninistrator (or his/her designated representative) is authorized to load software 
on workstations or servers. This must be coordinated with DCS3000 Program Manager 

Do not attempt to add printers of any kind. If you need access to anoth^ printer, see your supervisor 
or system aAninistrator. Normally, users will be assigned to file printer nearest to their workstation 
^ea. 

Do not add any additional hardware ot peripheral devices to any workstation, server or other 
DCS3000 resource. This includes all devices such as extra memory, hard drives, printers, scanners, 
additional servers, additional processors, etc. These tasks are handled by the system administrator 
and subject to configuration control. 
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1.4 Unatahorized Activities 

All DCS3000 users are held strictly accountable for their actions while on the system. User activity 

may be monitored and system activity audited to detect unauthorized behavior. Unauthorized 

activity may result in a warning, reprimand, loss of access, formal disciplinary action (including 

dismissal), or even legal action (such as a fine or imprisonment). 

Unauthorized activities include: 

• Entering unauthorized, inaccurate, or false information. Do not delete or manipulate 
information inappropriately. 

• Using data for which you have not been granted authorization. Do not ejqilore data or IS 
capabilities that are not related to your job or attempt to access information which you do 
not have authority to access. If you have any questions about the limits of your 
authorization, consult your supervisor for clarification. 

• Retrieving information for someone who does not have access to it himselBlierself, except as 
specifically authorized in your job description, or by your supervisor. 

• Violating copyright and site licenses of proprietary software. This may happen when 
multiple copies of licensed software is installed, as well as when unlicensed software is 
installed. 

9 Installing unauthorized software. Do not install outside software (including other agency 
software, shareware, fi-eeware, personally purchased, or pirated software) on DCS3000. 

• Installing modems (either internal or external) on a workstation, server or any other 
DCS3000 resource. Although covered in the preceding section on configuration 
management, modems deserve special attention because they are a well-known way to 
bypass firewall protection or give remote access to unauthorized individuals. In particular, 
modems that are set to answer calls enable system access fi-om outside the facility and may 
be regarded as a malicious breach of security. 

• Storing or processing classified national security information on DCS3000. If, for Miy 
reason, classified information is introduced to DCS3000, notify your system administrator as 
soon as possible. 

• Leaving your computer logged into the system when not being used. Log-ofiF your 
workstation whenever you are away fi-omftie immediate work area, unless the Windows 
screen saver feature with a password enabled is properly invoked. 
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1.5 Yottt Role in Protecting the System 

Ensure that any data that is visible on the woricstation monitor screen cannot be viewed by 
unauthorized personnel. The following guidelines will be followed when using the Windows 
NT/2000 screen saver option: 

• Only the Windows screen savers are authorized. No other screen savers shall be installed. 

• The password option for the screen saver will be invoked by the user. The password created 
will be generated by the user. The criteria for generating that password will be the same as 
that used for creating a E)CS3000 log-on password. 

• The screen saver password and nTiS^Onn Inp-nn naftswnrfi will nnf hp thft satnn nnr shnnld 

one be a derivative of th e otheL^ I 

I | . This makes it much easier for an individual to guess 

your password. 

• The user will ensure that the screen saver activates before leaving the workstation 
unattended. This must be done, because there are conditions in a session that will delay or 
preclude the screen saver from activating (e.g., the print pop-up is present on the screen, data 
exchanges are occurring between Server and workstations, etc.). 

Ensure printouts are retrieved as soon as possible. Output should not be left unattended for any 
longer than is necessary. 

Protect your equipment (workstation, diskettes, etc.) from physical damage. Ensure that your 
workstation is clean, ventilated, and located in a place where it is not likely to be bumped or 
knocked over. Keep food and drinks where they won't get spilled on the equipment. 

Safeguard DCS3000 resources against waste, loss, abuse, unauthorized use, and misappropriation. 

Scan all disks for viruses before use, especially if they are received from external sources. 
Discontinue use of any DCS3000 resources that show indications of being infected by a virus and 
immediately report any incidents to the ISSO. 

Report any security incidents or suspected security incidents, including computer virus infections, to 
your ISSO. The term “security incident” includes any event that may result in the disclosure of 
sensitive information to unauthorized individuals or ftiat results in unauthorized access, modification 
or destruction of system data, loss of system processing capability, or loss or theft of any computer 
system media. 

Challenge any unauthorized personnel in your woik area. 

To meet minimal accreditation standards, all FO DCS3000 must have a Rul^ of Behavior in place. 
It is paramount that the ISSO, System Administrator, and all users read and follow these Rules of 
Behavior. A generic accountability sheet is shown in ftie back of this document. 
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2.0 USER SUPERVISORS 

These Rules of Behavior apply to all supervisors of users of DCS3000. 

2.1 Account Creation Responsibilities 

First line supervisors are responsible for requesting access to DCS3000 for new users and the 
granting of new access privileges that may be required by users under his/her supervision. 

2.2 Account Termination Responsibilities 

First line supervisors are responsible for directing the removal of DCS3000 access for all persons 
under their supervision upon transfer of the user, termination of service or when there is no longer 
any need for that user to access DCS3000 resources. The supervisors should: 

• Notify the ISSO and system administrator upon the departure or transfer of all assigned staff 
(government employees, contractors, etc.). 

• Ensure continued availability of information when an employee terminates. Transfer 
employee files to another authorized user when needed, delete unnecessary files, and get 
passwords to encrypted files. 

• Counsel tenninating employees on nondisclosure of sensitive information. 

• Terminate access to information and computer systems immediately in the event of 
unfriendly separation. Physically remove an employee when there is likelihood of sabotage. 

2.3 Account Parameters 

First line supervisors may request the establishment of shared directories. When a shared directory 
is established, the following rules apply. 

• The first line supervisor is responsible for designating those users who will be granted access 
to such directories and the permissions to be assigned to each user. 

• An owner will be assigned to manage each shared directory. 

• The first line supervisor is responsible for ensuring that owners review and verify the list of 
authorized users for each shared directory at least quarterly. The shared directory owner 
will request termination of access for any user no longer requiring access. 

2.4 Account Verification/Validation 

Supervisors will respond to system administrators' annual requests for review of user privileges. 

2.5 Awareness Responsibilities 

Supervisors will ensure that all DCS3000 users belonging to, or performing work within, their 
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organization have current knowledge of these Rules of Behavior, the required clearance, and a need- 

to-know for all information they are authorized to access. 

2.6 Official Use 

Supervisors will ensure that the system is not used for any unlawful, immoral or unethical activities. 

2. 7 Incident Reporting 

Supervisors are responsible for ensuring that security incidents are promptly reported to the ISSO. 

3.0 ADMINISTRATORS 

These Rules of Behavior apply to all Administrators for DCS3000. 

3. 1 System Administrators 

3.1.1 Responsibilities 

In addition to compliance with the Rules of Behavior that apply to all users, DCS3000 system 

administrators are responsible for: 

• Verifying the adequacy and authenticity of a new user’s request before authorizing the 
creation of his/her new user account. Contact ISSO for any specific security questions when 
creating an account. 

• Ensuring software has been approved by the Configuration Control Board (CCB) and 
Information Assurance section before installing. 

• Becoming thoroughly familiar with and complying in all respects with the requirements of 
DCS3000 Security Policy and these Rules of Behavior. 
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• Supporting and providing technical assistance to supervisors and the ISSO in the 
performance of Aeir duties and responsibilities relating to the security of DCS3000. 

• Managing the creation and deletion of user accounts and the granting and revocation of 
system privileges. 

• Maintaining and keeping current all system documentation 

• Altering the configuration of DCS3000 hardware or software only in accordance with the 
requirements of the Configuration Control Board. 

• Initiating an annual review of any advanced access privileges they have granted, to verify 
that personnel still need access. System administrators will generate lists of personnel who 
have advanced privileges and send them to the appropriate supervisors for review and 
written response. If a supervisor determines that some personnel no longer need advanced 
privileges, the system administrator will terminate their access. 

• The system administrator will rename the primary system administrator account and use it to 
create additional system administrator accounts with full system administrator privileges. 

The UserlD for these accounts can be any valid logon name (i.e. DCS ADMIN), but cannot 
be SYS_ADMIN. The user ID and password for the primary system administrator account 
(together with instructions) will be kept in a marked envelope in an office safe. DCS3000 
users are instructed to look in the safe for system administrator instructions, UserlD and 
password in the event that the DCS3000 system needs to be rebooted. 

3.1.2 Separation of Duties 

System administrators will use their system administrator user ID and privileges only when 

performing system administration duties. They will use a general user ID and privileges for all other 

duties. Duties that entail security of the IT system shall be separate from administrator duties and 

assigned to two difterent personnel, when possible. 

3.2 ISSO 

The ISSO is responsible for: 

• Maintaining a document library containing current copies of all security plans, policies, 
regulations, certification and accreditation documentation, and procedures applicable to 
DCS3000. 

9 Becoming thoroughly familiar with the DCS3000 security plan, DOJ 2640.2d policy, FBI 
MIOG requirements and basic best practice security procedures and standard operating 
procedures.. 

9 Ensuring the implementation of the DCS3000 Security Plan mid its development, operation 
and maintenance in accordance with the requirements of the DCS3000 Security Policy and 
all other applicable security policies, regulations and procedures. 

i 
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• Monitoring the adrninistration of DCS3000, providing guidance to system administrators 
and ensuring their compliance with all such security plans, policies, regulations and 
procedures. 

• Ensuring that physical access control procedures and measures are properly implemented at 
the sites for which they are responsible. 

• Implementing and ensuring compliance with the requirements of the security incident 
reporting program. 

• Providing advice and assistance to managers and supervisors in performing their duties in 
relation to the DCS3000 security program. 

• Assisting site managers in the selection and use of safeguards that reduce the risk to systems 
and facilities jOrom malicious software and intrusions. 

• Assuring that system security plans are revised and assisting in the re-certification and 
accreditation of the system according to the requirements of the DCS3000 Security Plan. 

4.0 INFORMATION SYSTEMS SECURITY MONITORING 

This FBI system is for the sole use of authorized users for official business only. Y ou have no 

expectation of privacy in its use. DCS3000 may be monitored routinely for indication of any 

unauthorized or malicious activity. 

5.0 MONITORING NOTICES 

The following warning notices will be used as indicated to inform users of FBI information systems 

that such use is subject to infonnation systems security monitoring. 
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5 . 1 Computer Log-on Banner 

WARNING * * « * » 

This FBI system is for the sole use of authorized users for official business only. You have no 
expectation of privacy in its use. To protect the system from unauthorized use and to insure that the 
system is functioning properly, activities on this system are monitored and recorded by system 
personnel. Anyone using this system expressly consents to such monitoring and is advised that if 
such monitoring reveals evidence of possible abuse or criminal activity, system personnel may 
provide the results of such monitoring to appropriate officials. 

***** WARNING ***** 

Do you accept these requirements and conditions? (Y/N) 


6.0 SYSTEM ADMINISTRATORS 

6.1 Objective 

The two main goals of the system administrator (S A) are to keep the AIS (automated information 
system) operational and secure. The following tasks are essential in accomplishing these goals; 

• Ensure that die operating system for the AIS is configured properly and that the security 
features appropriate to the intended level of system operation are properly set. Such settings 
should be periodically reviewed; such reviews will not involve looking at information or 
data contained in the files of individual users other than system configuration files. 

• Use approved tools to periodically review system security. These may be security utilities 
provided with network software. At no time will the utilities be used to review user data 
even if the tool is capable of this function. 

• Periodically check with the operating system manufacturer in order to keep informed of 
system security problems and patches as ftiey are developed, and apply them as appropriate 
in order to maintain AIS security. 

• Ensure audit software is properly configured and audit trail reports are periodically reviewed 
in accordance with this document 

Review file names, length, permissions, and directories. If any of this information leads a SAto 
suspect that an individual user is misusing the system or engaging in other misconduct, the S A will 
notify the ISSO. The ISSO will contact the Special Agent in-Charge (SAC) for that field office. 

The SAC will contact Criminal Investigation Division (CID). At no time will the S A specifically 
target or track an individual's activities except as part of a properly authorized investigation. 
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If a SA suspects an unauthorized user is attempting to access the AIS, the S A is authorized to take 
the actions necessary to verify and limit the penetration attempt from an unauthorized user. Once 
verified, the SA will notify the ISSO. The SAC will contact CID. The SA may make system 
backups of appropriate log, history files, and user directories. Once the S A has determined that the 
anomaly is in fact an unauthorized intrusion, and CID have been notified, the SA will not in any 
other manner specifically target, track or attempt to investigate a suspected intruder's activities 
except as part of a properly authorized investigation. 

6.2 Restrictions on System Administrators in the Normal Performance of Their Duties 
The SA does not have unlimited authority in operating the AIS. While security of the system is an 
important component of the administrator's job, there are restrictions on actions that an administrator 
may take in accomplishing the security function: 

The SA is NOT authorized to view, modify, delete, or copy data files that are stored on the AIS 
which are not part of the operating system except when: 

• Authorized by the user or file owner. 

• Performing system backup and disaster recovery responsibilities. 

• Performing antivirus functions and procedures. 

• Performing actions which are necessary to ensure the continued operation and system 
integrity of the AIS. 

• Performing actions as part of a properly aufiiorized investigation. 

The S A is NOT authorized to browse or read a user's E-mail. The S A may intercept, retrieve, or 
otherwise recover an E-mail message upon the written or verbal authorization of the parties involved 
or as part of a properly authorized investigation. When the S A must remove an E-mail message that 
is int^ering with the operation of the AIS, the S A will make reasonable effort to notify the 
originator of the E-mail. 

The SA is NOT authorized to use hacker techniques in an attempt to penetrate his or her AIS. 
Techniques include but are not limited to: 

• The use of network analyzers, sniffers, or similar network monitoring systems to monitor the 
activities of specific system users. The use of these devices is authorized to perform valid 
system troubleshooting and diagnostics of network problems. 

• "Keystroke monitoring" software of any kind will not be used either resident on the user's 
computer, or by monitoring computer netwoik communications. 

• The use of keyboarding or automated techniques to exploit/verify vulnerabilities identified 
by the C2 Protect tools. 
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6.3 Management Searches 

In the absence of a user, the S A is authorized to grant the user's supervisor temporary access to the 
user's data files, in order to allow access to data for oflBcial purposes. When such access is granted: 

The S A will brief the supervisor as to the limits of accessing the user's data files. This will include a 
warning that the search must be limited in scope to those files that could reasonably be related to the 
objective of the search (that is. E-mail access would NOT be reasonable when searching for a word 
processing file). Searches will be limited to the time necessary to locate the required data. 

Such access will not be used to circumvent regulatory or statutory requirements for investigations. 

6.4 Assistance to Law Enforcement and Counterintelligence 

The SA is authorized to provide technical assistance as requested by the investigating agent when 
part of a properly authorized investigation. 
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DCSSOOO/Privileged User Rules of Behavior Acknawled2ement Form 

As the privileged or super user of the DCS3000 Automated Information System (AIS), I 
acknowledge my responsibility to conform to the following requirements and conditions as directed 
by Department of Justice Order (DOJ) 2640.2D (Information Technology Security), DOJ-TS-001 
(DOJ Access Control Standards Password Management), Manual of Investigative Operations 
Guidelines Part 2, Section 26 (Classified National Security Information and Material) & 35 (FBI 
Automated Data Processing and Telecommunications Security Policy), the SACS System Security 
Authorization Agreement, and local Security Operating Procedures (SOP). DCS3000 is an FBI- 
accredited network. These conditions are established for and apply to all AIS connected to 
DCS3000. 

1 . 1 understand that failure to sign this acknowledgment will result in denial of access to DCS3000. 

2. 1 understand the need to protect the “root” or “super user” password at the highest level of data it 
secures. I will not share the root or super user password and/or account with any unauthorized 


3. 1 understand I am responsible for all super user or root actions taken under my account I will not 
attempt to "hack” the network or any connected AIS, or any connected network. I will not attempt to 
gain access to data for which I am not specifically authorized, to include E-Mail and users files in 
their home directories. I will only use my special accesses or privileges to perform authorized tasks 
or mission-related functions on DCS3000. 

4. 1 understand my responsibility to report any/all IS or network computer security problems to the: 
Information System Security Officer (ISSO) and the Security Countermeasures Program Manager 
(SCMPM). 

5. 1 acknowledge my responsibility to use the network only for official government business. I 
understand I am required to report the discovery of any violations of this rule to the DCS3000 ISSO. 

6. 1 will not enroll any user to the network: or any connected system that is not approved by then- 
supervisor (or sponsor in the case of non-FBI employees) and cleared to at least the TOP SECRET 
level. 

7. 1 understand that the network operates in the Sensitive But Unclassified condition/level. I have all 
clearances necessary for access to the network, and will not introduce or process data that the 
network is not specifically designed to handle as specified by DCS3000 System Security Policy. 

8. 1 understand my responsibility to appropriately protect all output generated under my account, to 
include printed output, magnetic tapes, floppy disks, and downloaded hard disk files. I understand 
that I am required to ensure all hard copy output and magnetic media is properly labeled as required 
by the regulations listed above. 
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9. 1 understand my responsibility to not introduce any software or hardware not acquired through 
ofiicial channels. I also acknowledge my responsibility to virus-scan all ofiicial and authorized 
software before introducing it into DCS3000. 

10. 1 acknowledge that all DCS3000 equipment and related items are for the communication, 
transmission, processing, and storage of U.S. Government information only. These systems and 
equipment are subject to monitoring to ensure proper functioning, to protect against improper or 
unauthorized use or access, and to verify the presence or performance of applicable security features 
and procedures, and for like purposes. Such monitoring may result in the acquisition, recording, and 
analysis of all data being communicated, transmitted, processed, or stored in this system by any user. 
If monitoring reveals possible evidence of criminal activity, such evidence may be provided to law 
enforcement personnel. In using this system, I e}qjressly consent to such monitoring. 

1 1. 1 will not violate any U.S. statute, and I understand that I am bound by the directives of the 
President of the United States, the Attorney General, Director of Central Melligence (DCI), the 
Director FBI, Rules of Behavior, and local Standard Operating Procedures (SOP). I further 
understand that I cannot be ordered by any lesser authority to violate either the letter or the spirit of 
any U.S. statute. Executive Order, directive from the A6 DOJ, DCI, Director FBI, or local SOP. I 
bear sole responsibility and liability for any such violation. Suggested reading for this includes the 
Privacy Act of 1974, National Computer Security Act of 1987, Executive Order 12958 (Classified 
National Security Information), Department of Justice Order 2640.2D (Information Technology 
Security), DOJ-TS-001 (DOJ Access Control Standards Password Management), and Manual of 
Investigative Operations Guidelines Part 2, Section 26 (Classified National Security Information 
and Material) & 35 (FBI Automated Data Processing and Telecommunications Security Policy). 

12. 1 acknowledge my responsibility to conform to these requirements and conditions when using 
DCS3000 Network/Systems. I also acknowledge that failure to comply with these requirements and 
conditions may constitute a security violation resulting in denial of access to DCS3000 
Network/Systems. Additionally, such violations will be reported to the appropriate authorities for 
further action as deemed appropriate. 

13.1 have completed the required course(s) and secure awareness training prior to receiving access 
to DCS3000. 

14. A copy of this agreement will be kept on file with flie DCS3000 ISSO as part of my security 
agreement. 


Privileged User Signature: 


Date: 


Supervisor Signature: 


Date: 
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1. INTRODUCTION 

The Data Collection System (DCS) 3000 ^plication suite was developed to assist Law 
Enforcement Agencies (LEA) with collecting and processing data for Court-ordered electronic 
surveillance (ELSUR) operations. This system was developed, as an interim solution to Law 
Enforcement Agency collection needs until commercial collection platforms become available. 

1.1. Purpose 

The goal of this effort is to provide the Designated Accrediting Authority (DAA) with the 
information necessary to complete the security certification and accreditation (C&A) process. 

The C&A process validates that the required safeguards have been identified and implemented 
on the system. The culmination of this effort will be system accreditation (i.e. formal approval 
to operate) by the DAA 

1.2. Background 

This security concept of operations (CONOPS) describes the plaimed operating conditions of the 
DCS3000 and the expected residual risk of operating the system. The system descriptions and 
security requirements provided herein are intended to assist the Designated Accrediting 
Authority (DAA) in determining the appropriate set of technical and non-technical safeguards for 
protecting the information in the DCS3000 system. 

1.3. Project/Program Overview 

The DCS3000 was developed by personnel fi'omthe Telecommunications Intercept and 
Collection Technology Unit (TICTU) of the Cyber Technology Section of the Federal Bureau of 
Investigation (FBI). The TICTU is located at the FBI Engineering Research Facility (ERF), 
Building # 27958A Quantico, VA 22135. 

The DCS3000 has been in operation since 1997 and is operational in 55 of 56 FBI field offices 
across the United States. 

1.4. Assumptions 

The security requirements described in this CONOPS are based on the following assumptions: 

« The clearance process is adequate to reduce the risk of insider threat. 

• Adequate physical access controls are being implemented as planned. 

» Interconnected network elements oirtside the scope of this system are secured. 

2. REFERENCES 

This document has been prepared in accordance with guidance provided by: 

• FBI Certification and Accreditation Handbook (Draft), October 17, 2002 

• FBI, Manual of Investigative Operations and Guidelines (MIOG), Part II, Section 35 

• FBI, Manual of Administrative Operations and Procedures (M AOP) Part I, Section 259, 
Security Clearance Investigations 
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3. CURRENT OPERATING ENVIRONMENT 

3.1. Current System 
To conduct court-ordered ELSUR operations, LEAs dial into switches that are devices used by 
teleconununications service providers to route telephone calls to their destinations. The 
DCS3000 can collect ELSUR data under the following warrant types: 

• Pen Register - limited to call data 

• Title III - limited to call data and call content 

• Cooperative Warrant - limited to call data and call content for phone numbers that do not 
belong to identified associates. 

3.2. Major System Components 

The DCS3000 suite consists of five component applications residing on one or more 
workstations. The components of the DCS suite used to support a particular requirement depend 
upon the type of surveillance to be conducted, the switch providing the data, the 
telecommunications service provider, and availability of equipment at the field office. The 
DCS3000 consists of the following applications: 

• Client 

• Server 

• MultiServer 

• VANGuard 

• MultiVANGuard 

The Client 

The client is used to enter warrants, and to collect incoming call data and record call content in 
formats that are appropriate for use as evidence. Surveillance operations can be interrupted or 
closed from the client. The client is required for surveillance operations unless these capabilities 
are performed via a third-party application such as a collection platform. 

The client may collect data within the following guidelines: 

• Support one Title III, Cooperative Warrant, or one Push-to-TaUc (PTT) collection and /or 

• Support multiple Pen Register collections 

• Connect to multiple servers or MultiServOTs (up to 35) 

The Server 

The server receives data from the switch and routes that data to the client. The server is the only 
application that can receive and route data for PTT calls. The server can support the following: 

• Multiple Title III, Cooperative Warrant, or PTT collections 

• Multiple Pen Register collections 

• Multiple client connections 

• Connection to one switch 

i 
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The MultiServer 

The MultiServer provides the same functionality as the server, except that it has the ability to 
connect to multiple switches. It is sometimes referred to as the Multiple Switch Server. In 
addition to multiple-switch connections, the MultiServer can support the following: 

» Multiple Title III and Cooperative Warrant collections 
• Support multiple Pen Register collections 
® Multiple client connections 

The VANGuard 

The VANGuard buffers data fron | [ complian t i switches, and routes the | ^ 

data to the server or MultiServer. It enables field offices to collect data periodically, thus savmg 
on potential long distance charges. While muhiple switches can connect to the VanGuard, the 
VanGuard can connect to only one switch. 

The Multi- VANGuard 

The Multi-VANGuard can buffer data from multiple T t witches. It can be referred to as the 
Multiple-Switch VANGuard. Like the VANGuard, the Multi-VANGuard enables field offices to 
collect data periodically, thus saving on potential long distance charges. This application can, 
also, be used to monitor the status of current connections. Users can reset a connection if a 
problem is detected. The VanGuard can connect to up to 25 switches. 

3.3. User Organizations and Personnel 

In addition to cognizant system management and engineering personnel at the TICTU located 
within the FBI ERF, other user personnel are found at FBI field offices throu^out the United 
States and Puerto Rico. 

4. SYSTEM OPERATIONAL OVERVIEW 
4.1. Networking Infrastructure 

The DCS3000 is connected to the telecommunications service provider via TCP/IP. The 
connection can be established either by the DCS3000 or by the switch. Data transmitted to the 
DCS3000 in support of Title IIL Pen Register, or Cooperative Warrant collections is sensitive- 
but-unclassified (SBU). 

The DC S3 000 is a modular system that can be set up and configured to meet specific case needs. 
Figure 1 represents a typical configuration for Pen Register collections. Call data is provided 
from the switch to the VanGuard, which stores the data temporarily, until it is collected by 
Multiserver and forwarded to the client The MultisCTver and client could reside on the same 
workstation. Figure 2 represents a typical configuration for Title III collections at one LEA 
location. In this case the Multiserver and clients are connected via a LAN. Call content is 
provided on a channel independent of the call data. 
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CS3000 Configuratton- Title III 
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Table 4-1 represents sample data channel and content channel delivery mechanisms for 
telecommunications service providers. 


Table 4-1. Sample Interconnection Configurations 


1 Serv ice Pro 

tider 

Call iMta Chanitf^ 

Call Content Channel 



TCP/IP over ISDN 

Dial-out from switch to 
directory number 


TCP/IP over leased line 

Dial-out from switch to 
directory number 


TCP/IP over dedicated 
connection (frame relay or 
VPN) 

Dial-out from switch to 2 

directory number hi 


TCP/IP over dedicated 
connection 

Dial-out from switch to 
directory number 


TCP/IP over X.25, ISDN BRI 

T1 


4.2. Information Transfer and Collaboration 

The DC S3 000 is connected to and transfers data from the telecommunications service provider 
via TCP/IP. The coimection can be established either by the DCS3000 or by the switch. 

43. Hardware 

The following subsections list and describe the major hardware required to operate the DCS3000 
system. 

4.3.1. Workstations 

DCS3000 can be installed on any Pentium-based workstation running Microsoft Windows 2000. 
The minimum memory requirements are the same as the minimum required for running the 
operating system. 

Client workstations must have a Recorder Control Interface (RCI) card and recorder to support a 
Title III collection. A separate Client workstation is needed for each Title III target. 

4.3.2. Data Communications Equipment 

DCS3000 uses the following telecommunications equipment to establish data communications: 

• Cisco 1610 router 

» US Robotics Courier V.Everything External Modem 
4.4. Software 

The following subsections list and describe the major software required to operate the DCS3000 
system. 

4.4.1. Operating System 

All DCS3000 applications run under the Microsoft Windows 2000 operating system. 

i 
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4.4.2. DCS Applications 
Please refer to section 3. 1 above. 

4.4.3. Security Software 

The DCS3000 system employs McAfee VirusScan anti-viral software. 

4.5. Maintenance 

The DCS3000 Users’ Guide includes maintenance procedures that include preventive 
maintenance, scheduled to maximize the availability of the system, and thus to minimize 
interference with the operation of the system. TICTU provides on-call maintenance support of 
fielded systems. 

5. SECURITY 


b2 
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FBI system users receive background checks based on their job function before they acquire 
system privileges in accordance with the FBI personnel policy. Non-Bureau personnel who ^e 
required to perform maintenance on DCS3000 within a central monitoring plant (CMP) may be 
approved for escorted access based on an FBI-conducted Limited Background Investigation. 

5.2. Physical Environment 

DCS3000 systems physically reside in FBI field offices within CMPs. Because the DCS3000 
resides in the field offices, access to CMP housing the system is restricted to autiiorized 
personnel only. Central monitoring plants are locked at all times and controlled by a variety of 
access control devices and procedures. Authorized personnel escort any unauthorized personnel 
(e.g., maintenance personnel, facility support contractors) in order to monitor their activity while 
in the CMP. 

5 J. Data Storage Media 

Though the primary function of this system is not data storage, it does store some data 
temporarily before it is collected by the Multiserver and forwarded to the client. Call data is 

i 

LIMITED OFFICIAL USE ONLY 



PG-9 




Department of Justice 

Federal Bureau of Investigation LIMITED OFFICIAL USE ONLY 
Security Concept of Operations 


October 22, 2002 


provided from the switch to the VanGuard and temporarily stored until the MultiServer collects 
it and sends it to the client. 

5.4. Backup and Recovery 

The DCS3000 provides a capability to conduct backup storage and restoration of data and access 
controls. The DCS3000 Users’ Guide includes recovery procedures that assure that system 
recovery is done in a trusted and secure manner. 

The DC S3 000 backup capability provides for the restoration of any security-relevant segment of 
the system state (e.g., access control lists, cryptologic keys, deleted system status information) 
without requiring destruction of other system data. 


6. POINTS OF CONTACT 

I I DCS3000 Program Manager 

Jf tli investigative t echnology Division (ITD) 

FBI Engineering^fisearch Facility (ERF) 


Tele. No.p 


ITD/ER 

K 

Tele. N( 

1 1 


Senior Systems Analyst (Contractor) and ISSO 
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SECRET/WOFCiRM 
WORKING PAPERS 

Review of CSOC SSP compared to Certification Test Reports 
Section 3.5.1 - has the system classifications as 

UNCLASSIFIED/FOUO/SBU/NOFORN but NO SECRET, however, the overall 
classification of the document is SECFFTi^JOFORj'iI"’ 

Section 3.6.1 - Over-classification - The SSP classifies T l as nEORETT>JOFORI iJ 

Section 3.7 describes Tier Description a a SEG ' RETQ>JOFOIO i f 

Section 3.8 System mode of operation is classified as SECRE¥ i ^lOFOIDi 

Section 7.4.1 - States that Active Directory is not implemented on the system, however, I 
believe what is intended is on the low-side AD is not implemented but on the High-Side 
AD is activated and Kerberos is operational ONLY on the High-Side. 

Section 7.5.8 - System Start-Up - CSOC servers are configured to be started cold 
without admin input, start without users being lo^ed in. 

Privileged Users Guide 

Paragraph 7 J.5 - Technical Access Mechanisms - Screen savers lock requires a 
password, conflicts with Section 12 Exception; the CSOC does not utilized Screen Lock 
on monitors per the SSP 

Section 7.28 - states lockout after 3 tries but CTR references 4 tries 
SSP conflicts with Users Guide 


a. 3 tries for lock out - SSP states 4 tries as does CTR 

b. Kerberos policy needs to be defined between the two sides of the system; high- 
side uses Kerberos but the low-side do not have Active Directory activated and 
cannot use Kerberos. 

Tier EC - level of concern, mode of operation, and tier level are all UNCLASSIFIED 
but the SSP classified all these levels at SECRET)iT >i [OrORN 

Certification Test Report - Low-Side Comments 


AC-5.3.4 

Pass 

Conmients 

Screen Saver not used - exception to policy per SSP section 12 

AC-5.3.5 

Pass 

No admin required to start servers, servers are set to start without 
any user interface 

AC-5.3.12 

Pass 

Kerberos - SSP 7.4.1 Do not implement Active Directory- cannot 
use Kerberos w/o AD being applied to the operating system 


■ 1 
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SECRET /MOrOBN 
WORKING PAPERS 

I&A 3.2. 1 Pass unique users; SSP 7.5.8 servers start up without any user interface 
DT 2.2. 1 Pass Kerberos - will not work w/o AD being activated 


Comments from the CSOC SSP 

(U) Related to the classification of data on the CSOC system; paragraph 3. 1 of SSP states: 

(U) Health and welfare plus allows CSOC through Unicenter software, also provides 
HELP DESK functions, system troubleshooting and environmental monitoring. 

a. Help desk functions to all Field Offices with collection systems. 

b. Remote trouble shooting and resolution of identified system problems. 

The following sections were not marked with section classification markings: 

3.9; 3.9.1; 3.9.3; 3.9.5; 3.9.7; 3.9.8; 3.9.9; 

(U) Section 3.9.9 states this system does not store or process data stored on any other 
system. Question: how can CSOC perform help desk and troubleshooting the other 
systems without being able to access the data and store the information on the system? 

(S/NF) Services all MS File Sharing; Kerberos; SNMP; Telnet; FTP, HTTP; 
TCP/UDP/ICMP 

(S/NF) paragraph 7.2.6 - Users can change Passwords whenever, they want to, however 
the block for 3 months was checked. 

(U) Paragraph 8.2 - A privileged user’s guide is available 

There are apparently normal users generated on the CSOC system; however, only a 
privileged user’s guide is generated. Section 7.2.1 - Page 14 -Users are assigned 
individual accounts and passwords normally its regional managers. 

Section 12 EXCEPTIONS 

No Screen savers will be used in the CSOC system 
(U) Appendix A to the Privileged Users Guide 

(S/NF) Remote Admin Client (ITDRAC) remote capability for the DSMs, to port patches 
and provides general system administration over the network. ITD Client is the remote 
admin for DCS 5000. 

(S/NF) Section 7.6.6 Audited Activities 
No auditing for either success or failure for 

- Information Downgrades or overrides 

- Copying data to re-moveable media 
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SBCRET/NOFQiEttT 
WORKING PAPERS 
(U) Appendix B to the Privileged Users Guide 

(S/NF) No remote access on the unclassified side 

7.4.2 Monitor - Kerberos and a trusted path, however Active Directory is not utilized on 
the Low-Side therefore Kerberos will not function in a Windows based operating system. 

(S/NF) 3.1.3 No IDS on the CSOC System 

The server settings state that the Guest account was renamed to XGUEST; however the 
account was set to 0 or disabled. 

01/23/2006 


ive had a meeting wit H "1 from CU Testing on Friday 01/20/2006, and he 

was quite adamant that the CSOC system was only a health and w elfare system, however, 
after reviewing the SSP in depth and talking to I I on January 23, 1 

confirmed that the CSOC system is in fact a full blown help desk and t roublesho oting 
system in addition to the health and welfare functions as tested. I askec j j several 

times if the CSOC turned out to be a help desk and troubleshooting systemlome DCS- 
5000 would that modify there testing in anyway, and he continually stated it would not. 
COMMENT: 

I would think that at a least some additional testing should be conducted to ensure that no 
residual collection data is being maintained by the CSOC system. Based on the facts 
surfaced I would not agree to the CSOC system data being downgraded to SBU, but must 
stay at SCCIlET/I'JOrORN based on the level of support rendered. 
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INTRODUCTION 

There is risk in any endeavor. One of the ways to cost effectively preserve assets is to 
manage risk. Managing risk entails accounting for assets and how to protect them. The following 
is an analysis of the certification documentation to include the Statement of Residual Risk for the 
DCS3000. The Security Evaluation Report (SER), examines the nature of the DCS3000, the 
inherent risks, mitigating strategies, recommended countermeasures (if any), security safeguards 
in use and subsequent residual risk to the system. The SER provides information to the 
Designated Accrediting Authority (DAA) regarding the overall security posture of the system. 

Based on the analysis, the DAA Representative makes a recommendation to the DAA for an 
accreditation decision. 

1. Background 

The DCS3000 is an electronic surveillance (ELSUR) collection system that supports 
criminal law enforcement (CLE) Title III criminal investigatio ns. It is modular, therefore it is set 
up for each case. The dataflow occurs in the following manner| I 

b2 
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The system is used in several environments. FBI collection efforts and FBI/other federal, 
state or local agency joint collection efforts are controlled by FBI personnel. Although the FBI 
loans equipment and software to other law enforcement agencies for court ordered collections, 
the local agency is responsible for establishing and maintaining these collection efforts with the 
TSP. These standalone installations in local PDs, where the FBI provides no additional support 
or connectivity, are not a part of the DCS3000 accreditation. Therefore, this evaluation considers 
only equipment under FBI control and the only network connectivity with the TSP. 

DCS3000 data is collected in support of criminal cases and is protected as evidence. If 
this data is inappropriately divulge4 the certifier stated that it may cause a loss of life. Therefore, 
?L Medium level of concern was assigned for Data Confidentiality by the certifier. However, since 
the certifier assigned this level of concern, the most recent version of the FBI C&A Handbook 
elevated the loss of confidentiality where data compromise could "... lead to personnel safety 
{sic) or loss of life, if disclosed; human sources (informants, assets, cooperating witnesses) would 
be placed in compromising situations if information was disclosed ..." to a. High level of 
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concern. Therefore, the D AA Representative has conducted this evaluation accordingly. 

Data that is passed Ihrou^ the DCS3000 must not be altered or lost, since it is collected 
for possible use as evidence in criminal cases. Additionally, lost or altered audio data could 
jeopardize undercover law enforcement personnel lives and activities, according to the SSP. 
Therefore, a Medium level of concern was assigned for Integrity by the certifier. The current 
version of the FBI C&A Handbook has elevated possible loss of life to a. High level of concern. 
The DAA Representative has conducted this evaluation accordingly. 

During an investigation in which the DCS3000 is used, it is critical that the system is 
available at all times to record data. If the system becomes unavailable for any reason, law 
enforcement personnel lives and the cases can be put in jeopardy. Lack of availability would 
impact the organizational mission, rather than National Security interests. For these reasons, a 
Medium level of concern has been assigned for Availability by the certifier, according to the FBI 
C&A Handbook. 

The following evaluation is based on the DCS3000 System Security Plan (SSP) and Risk 
Report dated December 17, 2002 and received a second time by the Accreditation Unit March 25, 
2003. 


2. Evaluation of C&A Package 

The certifiers approached the system as a Tier 2 and security testing was performed. 

Below is a description of some of the security safeguards for file DCS3000; 

The Information System Security Officer (ISSO), which has overall system security 
re sponsibility for the sec ure installation, performance and day-to-day operation, has been assigned 
to | "H Each field office with the system should have an ISSO. There is 

separation of duties between system (Users) and security system administration. 

The operating system used, Windows 2000, is listed on the EPL (Evaluated Products List) 
and evaluated at the C2 level. I&A, Object Reuse and Audit are implemented by Windows 2000 
operating system. The system is configured before deployment 

Virus DAT files are updated as they become available, or immediately after a collection 
eflbrt has been completed. Removable media is scanned before transferring data to the Telephone 
Application (TA) on FBINET. 

The DCS3000 routers, servers and terminals included in Ibis evaluation are located in FBI 
controlled spaces or when co-located, controlled by FBI personnel. All personnel having access 
to the DCS3000 operations within FBI controlled spaces have at least Secret clearances. If the 
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collection effort and supporting court order are non-DOJ and not controlled by FBI personnel, 
they are obligated to comply with "Attorney General Guidelines for Loan of Technical 
Equipment" 

3. Statement of Residual Risk 

Accreditation is the formal declaration by the accrediting authority that a system is 
approved to operate in a particular security mode using a prescribed set of safeguards. Part of the 
accreditation process is the acceptance of a given level of risk against a defined threat. The 
accrediting authority must balance: 

-- the risk of disclosure, loss or alteration of information; 

-- the availability of the system based on the vulnerabilities identified by file certification 
process; 

- the threat that these vulnerabilities may be exploited in the specific environment in 
which the system is being used; and 

-- the operational needs and benefits associated with the system under evaluatioa 

The following is a summary of the security issues and mitigation factors which were 
identified through the risk analysis, certification activities and accreditation review. The certifiers 
considered the following to be of Medium risk. With proposed mitigating strategies in place, the 
overall risk to the system will be Low. 

Vulnerability 1 : Accounts locked due to successive logon failures are lod^d for 30 

minutes instead of forever, as required. An unauthorized user 
could try four times, every 30 minutes, to guess a password. 

Risk Impact: There is a potential for a user to access evidence surreptitiously. 

Current Mitigating Factors: There is no remote access to the servers and 
clients. Therefore, all system access requires physical access to the terminals. 
Physical access to a collection site is controlled. It would take a considerable 
amount of time to crack a password. This increases the likelihood of discovering 
unauthorized activity. Additionally, it would probably be easier to look over a 
user's shoulder and steal a password. The thirty minute lockout is a reasonable 
deterrent to unauthorized use, while permitting continuous monitoring. The risk is 
assessed as LOW. 

Recommended Countermeasure: As users need constant access for collection 
and monitoring activities, a thirty minute lockout is sufficient to deter unauthorized 
access in an FBI controlled space, yet allow valid users to perform their work. 

The DAA Representative recommoids granting a policy exception in this instance. 
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Vulnerability 3: There are no documented procedures for the retention or review of 

the audit logs. 

Risk Impact: Security relevant events could go undetected. Audit logs could be 
overwritten and evidence to trace user actions could be lost. 

Current Mitigating Factors: The Windows 2000 OS security audit log is 
enabled with the correct settings when deployed. There are a limited number of 
users at each deployment. The risk is assessed as MEDIUM. 

Recommended Countermeasure:. Develop audit review and retention 
procedures for each deployment at sites where the FBI is a participant. 

4. Recommendation 

The DCS3000 was assessed by the certifier as a Tier 2, Protection Level 1 system. Levels 
of concern for Availability, Integrity and Confidentiality were assessed as Medium by the certifier. 
The DAA Representative elevated levels of concern for Integrity and Confidentiality to Hi^ 
based on the rationale presented in Section One. It is recommended, by the DAA Representative, 
that the DCS3000 be accredited at the SBU level with a Dedicated Security Mode of Operation 
for three years. 
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Audit review and retention procedures should be developed and implemented within 1 80 
days. After the 1 80 days, it is recommended that the Information Technology Systems Unit 
(ITSU) provide a formal notice that the countermeasure has been enacted and verified. If, after 
180 days, formal notice has not been received, the DAA Representative will recommend 
rescinding the accreditation. Additionally, the DAA Representative emphasizes the importance of 
scanning all media for malicious code with current virus scan DAT files after copying from the 
DCS3000 and before uploading into the TA on FBINET. 
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